Changeset 227617 in webkit

Timestamp:

Jan 25, 2018 11:32:00 AM (6 years ago)

Author:

fpizlo@apple.com

Message:

JSC GC should support TLCs (thread local caches)
​https://bugs.webkit.org/show_bug.cgi?id=181559

Reviewed by Mark Lam and Saam Barati.
Source/JavaScriptCore:

This is a big step towards object distancing by site origin. This patch implements TLCs, or
thread-local caches, which allow each thread to allocate from its own free lists. It also
means that any given thread can context-switch TLCs. This will allow us to do separate
allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
will allow us to have a hard distancing constraint between objects from different origins.

In this new design, every "size class" is represented as a BlockDirectory (formerly known as
MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
aligned memory allocator (which roughly represents which cage you came out of), and anyone
using the same allocator can share those blocks - but so long as they are in that
BlockDirectory, they will have the size and type of that directory. Previously, each
BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
LocalAllocators, each of which has a FreeList.

To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
starts by figuring out what Allocator it wants (often we have this information at JIT time).
Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
offsets as opposed to indices to make it easy to do the math on each allocation (if
LocalAllocator had a weird size then every allocation would have to do an imul).

This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
something there, but it's not significant according to our threshold).

Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
function needs to be careful to avoid using the scratch register because the FTL will call it
in disallow-scratch-register mode.

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• b3/B3LowerToAir.cpp:
• b3/B3PatchpointSpecial.cpp:

(JSC::B3::PatchpointSpecial::admitsStack):

• b3/B3StackmapSpecial.cpp:

(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):

• b3/B3StackmapValue.cpp:

(JSC::B3::StackmapValue::appendSomeRegisterWithClobber):

• b3/B3StackmapValue.h:
• b3/B3Validate.cpp:
• b3/B3ValueRep.cpp:

(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):

• b3/B3ValueRep.h:

(JSC::B3::ValueRep::ValueRep):

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

• bytecode/ObjectAllocationProfile.h:

(JSC::ObjectAllocationProfile::ObjectAllocationProfile):
(JSC::ObjectAllocationProfile::clear):

• bytecode/ObjectAllocationProfileInlines.h:

(JSC::ObjectAllocationProfile::initializeProfile):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileCreateThis):
(JSC::DFG::SpeculativeJIT::compileNewObject):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::emitAllocateJSObject):

• ftl/FTLAbstractHeapRepository.h:
• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
(JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
(JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
(JSC::FTL::DFG::LowerDFGToB3::allocateObject):
(JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
(JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):

• heap/Allocator.cpp: Added.

(JSC::Allocator::cellSize const):

• heap/Allocator.h: Added.

(JSC::Allocator::Allocator):
(JSC::Allocator::offset const):
(JSC::Allocator::operator== const):
(JSC::Allocator::operator!= const):
(JSC::Allocator::operator bool const):

• heap/AllocatorInlines.h: Added.

(JSC::Allocator::allocate const):
(JSC::Allocator::tryAllocate const):

• heap/BlockDirectory.cpp:

(JSC::BlockDirectory::BlockDirectory):
(JSC::BlockDirectory::findBlockForAllocation):
(JSC::BlockDirectory::stopAllocating):
(JSC::BlockDirectory::prepareForAllocation):
(JSC::BlockDirectory::stopAllocatingForGood):
(JSC::BlockDirectory::resumeAllocating):
(JSC::BlockDirectory::endMarking):
(JSC::BlockDirectory::isFreeListedCell):
(JSC::BlockDirectory::didConsumeFreeList): Deleted.
(JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
(JSC::BlockDirectory::allocateIn): Deleted.
(JSC::BlockDirectory::tryAllocateIn): Deleted.
(JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
(JSC::BlockDirectory::allocateSlowCase): Deleted.

• heap/BlockDirectory.h:

(JSC::BlockDirectory::cellKind const):
(JSC::BlockDirectory::allocator const):
(JSC::BlockDirectory::freeList const): Deleted.
(JSC::BlockDirectory::offsetOfFreeList): Deleted.
(JSC::BlockDirectory::offsetOfCellSize): Deleted.

• heap/BlockDirectoryInlines.h:

(JSC::BlockDirectory::isFreeListedCell const): Deleted.
(JSC::BlockDirectory::allocate): Deleted.

• heap/CompleteSubspace.cpp:

(JSC::CompleteSubspace::CompleteSubspace):
(JSC::CompleteSubspace::allocatorFor):
(JSC::CompleteSubspace::allocate):
(JSC::CompleteSubspace::allocateNonVirtual):
(JSC::CompleteSubspace::allocatorForSlow):
(JSC::CompleteSubspace::allocateSlow):
(JSC::CompleteSubspace::tryAllocateSlow):

• heap/CompleteSubspace.h:

(JSC::CompleteSubspace::allocatorForSizeStep):
(JSC::CompleteSubspace::allocatorForNonVirtual):

• heap/FreeList.h:
• heap/GCDeferralContext.h:
• heap/Heap.cpp:

(JSC::Heap::Heap):
(JSC::Heap::lastChanceToFinalize):

• heap/Heap.h:

(JSC::Heap::threadLocalCacheLayout):

• heap/IsoCellSet.h:
• heap/IsoSubspace.cpp:

(JSC::IsoSubspace::IsoSubspace):
(JSC::IsoSubspace::allocatorFor):
(JSC::IsoSubspace::allocate):
(JSC::IsoSubspace::allocateNonVirtual):

• heap/IsoSubspace.h:

(JSC::IsoSubspace::allocatorForNonVirtual):

• heap/LocalAllocator.cpp: Added.

(JSC::LocalAllocator::LocalAllocator):
(JSC::LocalAllocator::reset):
(JSC::LocalAllocator::~LocalAllocator):
(JSC::LocalAllocator::stopAllocating):
(JSC::LocalAllocator::resumeAllocating):
(JSC::LocalAllocator::prepareForAllocation):
(JSC::LocalAllocator::stopAllocatingForGood):
(JSC::LocalAllocator::allocateSlowCase):
(JSC::LocalAllocator::didConsumeFreeList):
(JSC::LocalAllocator::tryAllocateWithoutCollecting):
(JSC::LocalAllocator::allocateIn):
(JSC::LocalAllocator::tryAllocateIn):
(JSC::LocalAllocator::doTestCollectionsIfNeeded):
(JSC::LocalAllocator::isFreeListedCell const):

• heap/LocalAllocator.h: Added.

(JSC::LocalAllocator::offsetOfFreeList):
(JSC::LocalAllocator::offsetOfCellSize):

• heap/LocalAllocatorInlines.h: Added.

(JSC::LocalAllocator::allocate):

• heap/MarkedSpace.cpp:

(JSC::MarkedSpace::stopAllocatingForGood):

• heap/MarkedSpace.h:
• heap/SlotVisitor.cpp:
• heap/SlotVisitor.h:
• heap/Subspace.h:
• heap/ThreadLocalCache.cpp: Added.

(JSC::ThreadLocalCache::create):
(JSC::ThreadLocalCache::ThreadLocalCache):
(JSC::ThreadLocalCache::~ThreadLocalCache):
(JSC::ThreadLocalCache::allocateData):
(JSC::ThreadLocalCache::destroyData):
(JSC::ThreadLocalCache::installSlow):
(JSC::ThreadLocalCache::installData):
(JSC::ThreadLocalCache::allocatorSlow):
(JSC::ThreadLocalCache::destructor):

• heap/ThreadLocalCache.h: Added.

(JSC::ThreadLocalCache::offsetOfSize):
(JSC::ThreadLocalCache::offsetOfFirstAllocator):

• heap/ThreadLocalCacheInlines.h: Added.

(JSC::ThreadLocalCache::getImpl):
(JSC::ThreadLocalCache::get):
(JSC::ThreadLocalCache::install):
(JSC::ThreadLocalCache::allocator):
(JSC::ThreadLocalCache::tryGetAllocator):

• heap/ThreadLocalCacheLayout.cpp: Added.

(JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
(JSC::ThreadLocalCacheLayout::allocateOffset):
(JSC::ThreadLocalCacheLayout::snapshot):
(JSC::ThreadLocalCacheLayout::directory):

• heap/ThreadLocalCacheLayout.h: Added.
• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
(JSC::AssemblyHelpers::emitAllocate):
(JSC::AssemblyHelpers::emitAllocateVariableSized):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::vm):
(JSC::AssemblyHelpers::emitAllocateJSCell):
(JSC::AssemblyHelpers::emitAllocateJSObject):
(JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
(JSC::AssemblyHelpers::emitAllocate): Deleted.
(JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_new_object):
(JSC::JIT::emit_op_create_this):

• runtime/ButterflyInlines.h:

(JSC::Butterfly::createUninitialized):
(JSC::Butterfly::tryCreate):
(JSC::Butterfly::growArrayRight):

• runtime/DirectArguments.cpp:

(JSC::DirectArguments::overrideThings):

• runtime/GenericArgumentsInlines.h:

(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):

• runtime/HashMapImpl.h:

(JSC::HashMapBuffer::create):

• runtime/JSArray.cpp:

(JSC::JSArray::tryCreateUninitializedRestricted):
(JSC::JSArray::unshiftCountSlowCase):

• runtime/JSArray.h:

(JSC::JSArray::tryCreate):

• runtime/JSArrayBufferView.cpp:

(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):

• runtime/JSCellInlines.h:

(JSC::tryAllocateCellHelper):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::JSGlobalObject):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::threadLocalCache const):

• runtime/JSLock.cpp:

(JSC::JSLock::didAcquireLock):

• runtime/Options.h:
• runtime/RegExpMatchesArray.h:

(JSC::tryCreateUninitializedRegExpMatchesArray):

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:
• runtime/VMEntryScope.cpp:

(JSC::VMEntryScope::VMEntryScope):

Source/WTF:

• wtf/Bitmap.h: Just fixing a compile error.

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (11 diffs)
• JavaScriptCore/Sources.txt (modified) (3 diffs)
• JavaScriptCore/b3/B3LowerToAir.cpp (modified) (1 diff)
• JavaScriptCore/b3/B3PatchpointSpecial.cpp (modified) (1 diff)
• JavaScriptCore/b3/B3StackmapSpecial.cpp (modified) (4 diffs)
• JavaScriptCore/b3/B3StackmapValue.cpp (modified) (2 diffs)
• JavaScriptCore/b3/B3StackmapValue.h (modified) (2 diffs)
• JavaScriptCore/b3/B3Validate.cpp (modified) (3 diffs)
• JavaScriptCore/b3/B3ValueRep.cpp (modified) (4 diffs)
• JavaScriptCore/b3/B3ValueRep.h (modified) (3 diffs)
• JavaScriptCore/bytecode/AccessCase.cpp (modified) (2 diffs)
• JavaScriptCore/bytecode/ObjectAllocationProfile.h (modified) (3 diffs)
• JavaScriptCore/bytecode/ObjectAllocationProfileInlines.h (modified) (3 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (9 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (3 diffs)
• JavaScriptCore/ftl/FTLAbstractHeapRepository.h (modified) (2 diffs)
• JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (16 diffs)
• JavaScriptCore/heap/Allocator.cpp (added)
• JavaScriptCore/heap/Allocator.h (added)
• JavaScriptCore/heap/AllocatorInlines.h (added)
• JavaScriptCore/heap/BlockDirectory.cpp (modified) (8 diffs)
• JavaScriptCore/heap/BlockDirectory.h (modified) (9 diffs)
• JavaScriptCore/heap/BlockDirectoryInlines.h (modified) (1 diff)
• JavaScriptCore/heap/CompleteSubspace.cpp (modified) (9 diffs)
• JavaScriptCore/heap/CompleteSubspace.h (modified) (2 diffs)
• JavaScriptCore/heap/FreeList.h (modified) (1 diff)
• JavaScriptCore/heap/GCDeferralContext.h (modified) (2 diffs)
• JavaScriptCore/heap/Heap.cpp (modified) (3 diffs)
• JavaScriptCore/heap/Heap.h (modified) (3 diffs)
• JavaScriptCore/heap/IsoCellSet.h (modified) (1 diff)
• JavaScriptCore/heap/IsoSubspace.cpp (modified) (3 diffs)
• JavaScriptCore/heap/IsoSubspace.h (modified) (2 diffs)
• JavaScriptCore/heap/LocalAllocator.cpp (added)
• JavaScriptCore/heap/LocalAllocator.h (added)
• JavaScriptCore/heap/LocalAllocatorInlines.h (added)
• JavaScriptCore/heap/MarkedBlock.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkedSpace.cpp (modified) (1 diff)
• JavaScriptCore/heap/MarkedSpace.h (modified) (2 diffs)
• JavaScriptCore/heap/SlotVisitor.cpp (modified) (1 diff)
• JavaScriptCore/heap/SlotVisitor.h (modified) (2 diffs)
• JavaScriptCore/heap/Subspace.h (modified) (2 diffs)
• JavaScriptCore/heap/ThreadLocalCache.cpp (added)
• JavaScriptCore/heap/ThreadLocalCache.h (added)
• JavaScriptCore/heap/ThreadLocalCacheInlines.h (added)
• JavaScriptCore/heap/ThreadLocalCacheLayout.cpp (added)
• JavaScriptCore/heap/ThreadLocalCacheLayout.h (added)
• JavaScriptCore/jit/AssemblyHelpers.cpp (modified) (2 diffs)
• JavaScriptCore/jit/AssemblyHelpers.h (modified) (7 diffs)
• JavaScriptCore/jit/JITAllocator.h (added)
• JavaScriptCore/jit/JITOpcodes.cpp (modified) (5 diffs)
• JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (5 diffs)
• JavaScriptCore/runtime/ButterflyInlines.h (modified) (3 diffs)
• JavaScriptCore/runtime/DirectArguments.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/GenericArgumentsInlines.h (modified) (2 diffs)
• JavaScriptCore/runtime/HashMapImpl.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSArray.cpp (modified) (4 diffs)
• JavaScriptCore/runtime/JSArray.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSArrayBufferView.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSCellInlines.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/JSGlobalObject.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSLock.cpp (modified) (3 diffs)
• JavaScriptCore/runtime/Options.h (modified) (1 diff)
• JavaScriptCore/runtime/RegExpMatchesArray.h (modified) (2 diffs)
• JavaScriptCore/runtime/VM.cpp (modified) (4 diffs)
• JavaScriptCore/runtime/VM.h (modified) (2 diffs)
• JavaScriptCore/runtime/VMEntryScope.cpp (modified) (3 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/Bitmap.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-01-25  Filip Pizlo  <fpizlo@apple.com>
+
+        JSC GC should support TLCs (thread local caches)
+        https://bugs.webkit.org/show_bug.cgi?id=181559
+
+        Reviewed by Mark Lam and Saam Barati.
+        
+        This is a big step towards object distancing by site origin. This patch implements TLCs, or
+        thread-local caches, which allow each thread to allocate from its own free lists. It also
+        means that any given thread can context-switch TLCs. This will allow us to do separate
+        allocation for separate site origins. Eventually, once we reshape how MarkedBlock looks, this
+        will allow us to have a hard distancing constraint between objects from different origins.
+        
+        In this new design, every "size class" is represented as a BlockDirectory (formerly known as
+        MarkedAllocator, prior to r226822). This contains a bag of blocks allocated using some
+        aligned memory allocator (which roughly represents which cage you came out of), and anyone
+        using the same allocator can share those blocks - but so long as they are in that
+        BlockDirectory, they will have the size and type of that directory. Previously, each
+        BlockDirectory had exactly one FreeList. Now, each BlockDirectory has a double-linked-list of
+        LocalAllocators, each of which has a FreeList.
+        
+        To decide which LocalAllocator to allocate out of, we need a ThreadLocalCache and a
+        BlockDirectory. The directory gives us an offset-within-the-ThreadLocalCache, which we simply
+        call the Allocator (which is just a POD type that contains a 32-bit offset). Each allocation
+        starts by figuring out what Allocator it wants (often we have this information at JIT time).
+        Then the allocation loads its ThreadLocalCache::Data from a fast TLS slot. Then we add the
+        Allocator offset to the ThreadLocalCache::Data to get the LocalAllocator. Note that we use
+        offsets as opposed to indices to make it easy to do the math on each allocation (if
+        LocalAllocator had a weird size then every allocation would have to do an imul).
+        
+        This is a definite slow-down on GC-heavy benchmarks, but by a small margin, and only on
+        unusually heavy tests. For example, boyer and splay are both 3% regressed, but the Octane
+        geomean is just fine. The JetStream score regressed by 0.5% with p = 0.08 (so maybe there is
+        something there, but it's not significant according to our threshold).
+        
+        Relanding after fixing ARM64 bug in AssemblyHelpers::emitAllocateWithNonNullAllocator(). That
+        function needs to be careful to avoid using the scratch register because the FTL will call it
+        in disallow-scratch-register mode.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * b3/B3LowerToAir.cpp:
+        * b3/B3PatchpointSpecial.cpp:
+        (JSC::B3::PatchpointSpecial::admitsStack):
+        * b3/B3StackmapSpecial.cpp:
+        (JSC::B3::StackmapSpecial::forEachArgImpl):
+        (JSC::B3::StackmapSpecial::isArgValidForRep):
+        * b3/B3StackmapValue.cpp:
+        (JSC::B3::StackmapValue::appendSomeRegisterWithClobber):
+        * b3/B3StackmapValue.h:
+        * b3/B3Validate.cpp:
+        * b3/B3ValueRep.cpp:
+        (JSC::B3::ValueRep::addUsedRegistersTo const):
+        (JSC::B3::ValueRep::dump const):
+        (WTF::printInternal):
+        * b3/B3ValueRep.h:
+        (JSC::B3::ValueRep::ValueRep):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/ObjectAllocationProfile.h:
+        (JSC::ObjectAllocationProfile::ObjectAllocationProfile):
+        (JSC::ObjectAllocationProfile::clear):
+        * bytecode/ObjectAllocationProfileInlines.h:
+        (JSC::ObjectAllocationProfile::initializeProfile):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
+        (JSC::DFG::SpeculativeJIT::compileMakeRope):
+        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileCreateThis):
+        (JSC::DFG::SpeculativeJIT::compileNewObject):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
+        (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
+        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateHeapCell):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
+        (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedCell):
+        * heap/Allocator.cpp: Added.
+        (JSC::Allocator::cellSize const):
+        * heap/Allocator.h: Added.
+        (JSC::Allocator::Allocator):
+        (JSC::Allocator::offset const):
+        (JSC::Allocator::operator== const):
+        (JSC::Allocator::operator!= const):
+        (JSC::Allocator::operator bool const):
+        * heap/AllocatorInlines.h: Added.
+        (JSC::Allocator::allocate const):
+        (JSC::Allocator::tryAllocate const):
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::BlockDirectory):
+        (JSC::BlockDirectory::findBlockForAllocation):
+        (JSC::BlockDirectory::stopAllocating):
+        (JSC::BlockDirectory::prepareForAllocation):
+        (JSC::BlockDirectory::stopAllocatingForGood):
+        (JSC::BlockDirectory::resumeAllocating):
+        (JSC::BlockDirectory::endMarking):
+        (JSC::BlockDirectory::isFreeListedCell):
+        (JSC::BlockDirectory::didConsumeFreeList): Deleted.
+        (JSC::BlockDirectory::tryAllocateWithoutCollecting): Deleted.
+        (JSC::BlockDirectory::allocateIn): Deleted.
+        (JSC::BlockDirectory::tryAllocateIn): Deleted.
+        (JSC::BlockDirectory::doTestCollectionsIfNeeded): Deleted.
+        (JSC::BlockDirectory::allocateSlowCase): Deleted.
+        * heap/BlockDirectory.h:
+        (JSC::BlockDirectory::cellKind const):
+        (JSC::BlockDirectory::allocator const):
+        (JSC::BlockDirectory::freeList const): Deleted.
+        (JSC::BlockDirectory::offsetOfFreeList): Deleted.
+        (JSC::BlockDirectory::offsetOfCellSize): Deleted.
+        * heap/BlockDirectoryInlines.h:
+        (JSC::BlockDirectory::isFreeListedCell const): Deleted.
+        (JSC::BlockDirectory::allocate): Deleted.
+        * heap/CompleteSubspace.cpp:
+        (JSC::CompleteSubspace::CompleteSubspace):
+        (JSC::CompleteSubspace::allocatorFor):
+        (JSC::CompleteSubspace::allocate):
+        (JSC::CompleteSubspace::allocateNonVirtual):
+        (JSC::CompleteSubspace::allocatorForSlow):
+        (JSC::CompleteSubspace::allocateSlow):
+        (JSC::CompleteSubspace::tryAllocateSlow):
+        * heap/CompleteSubspace.h:
+        (JSC::CompleteSubspace::allocatorForSizeStep):
+        (JSC::CompleteSubspace::allocatorForNonVirtual):
+        * heap/FreeList.h:
+        * heap/GCDeferralContext.h:
+        * heap/Heap.cpp:
+        (JSC::Heap::Heap):
+        (JSC::Heap::lastChanceToFinalize):
+        * heap/Heap.h:
+        (JSC::Heap::threadLocalCacheLayout):
+        * heap/IsoCellSet.h:
+        * heap/IsoSubspace.cpp:
+        (JSC::IsoSubspace::IsoSubspace):
+        (JSC::IsoSubspace::allocatorFor):
+        (JSC::IsoSubspace::allocate):
+        (JSC::IsoSubspace::allocateNonVirtual):
+        * heap/IsoSubspace.h:
+        (JSC::IsoSubspace::allocatorForNonVirtual):
+        * heap/LocalAllocator.cpp: Added.
+        (JSC::LocalAllocator::LocalAllocator):
+        (JSC::LocalAllocator::reset):
+        (JSC::LocalAllocator::~LocalAllocator):
+        (JSC::LocalAllocator::stopAllocating):
+        (JSC::LocalAllocator::resumeAllocating):
+        (JSC::LocalAllocator::prepareForAllocation):
+        (JSC::LocalAllocator::stopAllocatingForGood):
+        (JSC::LocalAllocator::allocateSlowCase):
+        (JSC::LocalAllocator::didConsumeFreeList):
+        (JSC::LocalAllocator::tryAllocateWithoutCollecting):
+        (JSC::LocalAllocator::allocateIn):
+        (JSC::LocalAllocator::tryAllocateIn):
+        (JSC::LocalAllocator::doTestCollectionsIfNeeded):
+        (JSC::LocalAllocator::isFreeListedCell const):
+        * heap/LocalAllocator.h: Added.
+        (JSC::LocalAllocator::offsetOfFreeList):
+        (JSC::LocalAllocator::offsetOfCellSize):
+        * heap/LocalAllocatorInlines.h: Added.
+        (JSC::LocalAllocator::allocate):
+        * heap/MarkedSpace.cpp:
+        (JSC::MarkedSpace::stopAllocatingForGood):
+        * heap/MarkedSpace.h:
+        * heap/SlotVisitor.cpp:
+        * heap/SlotVisitor.h:
+        * heap/Subspace.h:
+        * heap/ThreadLocalCache.cpp: Added.
+        (JSC::ThreadLocalCache::create):
+        (JSC::ThreadLocalCache::ThreadLocalCache):
+        (JSC::ThreadLocalCache::~ThreadLocalCache):
+        (JSC::ThreadLocalCache::allocateData):
+        (JSC::ThreadLocalCache::destroyData):
+        (JSC::ThreadLocalCache::installSlow):
+        (JSC::ThreadLocalCache::installData):
+        (JSC::ThreadLocalCache::allocatorSlow):
+        (JSC::ThreadLocalCache::destructor):
+        * heap/ThreadLocalCache.h: Added.
+        (JSC::ThreadLocalCache::offsetOfSize):
+        (JSC::ThreadLocalCache::offsetOfFirstAllocator):
+        * heap/ThreadLocalCacheInlines.h: Added.
+        (JSC::ThreadLocalCache::getImpl):
+        (JSC::ThreadLocalCache::get):
+        (JSC::ThreadLocalCache::install):
+        (JSC::ThreadLocalCache::allocator):
+        (JSC::ThreadLocalCache::tryGetAllocator):
+        * heap/ThreadLocalCacheLayout.cpp: Added.
+        (JSC::ThreadLocalCacheLayout::ThreadLocalCacheLayout):
+        (JSC::ThreadLocalCacheLayout::~ThreadLocalCacheLayout):
+        (JSC::ThreadLocalCacheLayout::allocateOffset):
+        (JSC::ThreadLocalCacheLayout::snapshot):
+        (JSC::ThreadLocalCacheLayout::directory):
+        * heap/ThreadLocalCacheLayout.h: Added.
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+        (JSC::AssemblyHelpers::emitAllocate):
+        (JSC::AssemblyHelpers::emitAllocateVariableSized):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::vm):
+        (JSC::AssemblyHelpers::emitAllocateJSCell):
+        (JSC::AssemblyHelpers::emitAllocateJSObject):
+        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
+        (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator): Deleted.
+        (JSC::AssemblyHelpers::emitAllocate): Deleted.
+        (JSC::AssemblyHelpers::emitAllocateVariableSized): Deleted.
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_new_object):
+        (JSC::JIT::emit_op_create_this):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::createUninitialized):
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::growArrayRight):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::overrideThings):
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
+        * runtime/HashMapImpl.h:
+        (JSC::HashMapBuffer::create):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::tryCreateUninitializedRestricted):
+        (JSC::JSArray::unshiftCountSlowCase):
+        * runtime/JSArray.h:
+        (JSC::JSArray::tryCreate):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSCellInlines.h:
+        (JSC::tryAllocateCellHelper):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::threadLocalCache const):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::didAcquireLock):
+        * runtime/Options.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::tryCreateUninitializedRegExpMatchesArray):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+
 2018-01-25  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -390 +390 @@
                 0F725CB01C506D3B00AD943A /* B3FoldPathConstants.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F725CAE1C506D3B00AD943A /* B3FoldPathConstants.h */; };
                 0F74B93B1F89614800B935D3 /* PrototypeKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F74B93A1F89614500B935D3 /* PrototypeKey.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F75A05E200D25F60038E2CF /* ThreadLocalCache.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F75A055200D25EF0038E2CF /* ThreadLocalCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F75A060200D260B0038E2CF /* LocalAllocatorInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F75A05A200D25F00038E2CF /* LocalAllocatorInlines.h */; };
+                0F75A061200D26180038E2CF /* LocalAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F75A057200D25F00038E2CF /* LocalAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F75A062200D261D0038E2CF /* AllocatorInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F75A05D200D25F10038E2CF /* AllocatorInlines.h */; };
+                0F75A063200D261F0038E2CF /* Allocator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F75A054200D25EF0038E2CF /* Allocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F75A064200D26280038E2CF /* ThreadLocalCacheLayout.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F75A05C200D25F10038E2CF /* ThreadLocalCacheLayout.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0F75A0662013E4F10038E2CF /* JITAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F75A0652013E4EF0038E2CF /* JITAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F766D2C15A8CC3A008F363E /* JITStubRoutineSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F766D2A15A8CC34008F363E /* JITStubRoutineSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F766D3015A8DCE2008F363E /* GCAwareJITStubRoutine.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F766D2E15A8DCDD008F363E /* GCAwareJITStubRoutine.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -2420 +2427 @@
                 0F725CAE1C506D3B00AD943A /* B3FoldPathConstants.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3FoldPathConstants.h; path = b3/B3FoldPathConstants.h; sourceTree = "<group>"; };
                 0F74B93A1F89614500B935D3 /* PrototypeKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PrototypeKey.h; sourceTree = "<group>"; };
+                0F75A054200D25EF0038E2CF /* Allocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Allocator.h; sourceTree = "<group>"; };
+                0F75A055200D25EF0038E2CF /* ThreadLocalCache.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ThreadLocalCache.h; sourceTree = "<group>"; };
+                0F75A056200D25EF0038E2CF /* ThreadLocalCacheInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ThreadLocalCacheInlines.h; sourceTree = "<group>"; };
+                0F75A057200D25F00038E2CF /* LocalAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LocalAllocator.h; sourceTree = "<group>"; };
+                0F75A058200D25F00038E2CF /* ThreadLocalCache.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThreadLocalCache.cpp; sourceTree = "<group>"; };
+                0F75A059200D25F00038E2CF /* LocalAllocator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LocalAllocator.cpp; sourceTree = "<group>"; };
+                0F75A05A200D25F00038E2CF /* LocalAllocatorInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LocalAllocatorInlines.h; sourceTree = "<group>"; };
+                0F75A05B200D25F10038E2CF /* ThreadLocalCacheLayout.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ThreadLocalCacheLayout.cpp; sourceTree = "<group>"; };
+                0F75A05C200D25F10038E2CF /* ThreadLocalCacheLayout.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ThreadLocalCacheLayout.h; sourceTree = "<group>"; };
+                0F75A05D200D25F10038E2CF /* AllocatorInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AllocatorInlines.h; sourceTree = "<group>"; };
+                0F75A0652013E4EF0038E2CF /* JITAllocator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITAllocator.h; sourceTree = "<group>"; };
                 0F766D1C15A5028D008F363E /* JITStubRoutine.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITStubRoutine.h; sourceTree = "<group>"; };
                 0F766D2615A8CC1B008F363E /* JITStubRoutine.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITStubRoutine.cpp; sourceTree = "<group>"; };
@@ -5448 +5466 @@
                                 FE1220251BE7F5640039E6F2 /* JITAddGenerator.cpp */,
                                 FE1220261BE7F5640039E6F2 /* JITAddGenerator.h */,
+                                0F75A0652013E4EF0038E2CF /* JITAllocator.h */,
                                 86A90ECF0EE7D51F00AB350D /* JITArithmetic.cpp */,
                                 A75706DD118A2BCF0057F88F /* JITArithmetic32_64.cpp */,
@@ -5541 +5560 @@
                         isa = PBXGroup;
                         children = (
+                                0F75A054200D25EF0038E2CF /* Allocator.h */,
+                                0F75A05D200D25F10038E2CF /* AllocatorInlines.h */,
+                                0F75A059200D25F00038E2CF /* LocalAllocator.cpp */,
+                                0F75A057200D25F00038E2CF /* LocalAllocator.h */,
+                                0F75A05A200D25F00038E2CF /* LocalAllocatorInlines.h */,
+                                0F75A058200D25F00038E2CF /* ThreadLocalCache.cpp */,
+                                0F75A055200D25EF0038E2CF /* ThreadLocalCache.h */,
+                                0F75A056200D25EF0038E2CF /* ThreadLocalCacheInlines.h */,
+                                0F75A05B200D25F10038E2CF /* ThreadLocalCacheLayout.cpp */,
+                                0F75A05C200D25F10038E2CF /* ThreadLocalCacheLayout.h */,
                                 0FEC3C501F33A41600F59B6C /* AlignedMemoryAllocator.cpp */,
                                 0FEC3C511F33A41600F59B6C /* AlignedMemoryAllocator.h */,
@@ -8049 +8078 @@
                                 0FEC85771BDACDC70080FF74 /* AirFrequentedBlock.h in Headers */,
                                 0FEC85791BDACDC70080FF74 /* AirGenerate.h in Headers */,
+                                0F75A061200D26180038E2CF /* LocalAllocator.h in Headers */,
                                 0FEC857A1BDACDC70080FF74 /* AirGenerationContext.h in Headers */,
                                 0FEC857C1BDACDC70080FF74 /* AirHandleCalleeSaves.h in Headers */,
@@ -8214 +8244 @@
                                 0F33FCF81C136E2500323F67 /* B3StackmapGenerationParams.h in Headers */,
                                 0FEC85311BDACDAC0080FF74 /* B3StackmapSpecial.h in Headers */,
+                                0F75A064200D26280038E2CF /* ThreadLocalCacheLayout.h in Headers */,
                                 0F338DF21BE93AD10013C88F /* B3StackmapValue.h in Headers */,
                                 0F9495881C57F47500413A48 /* B3StackSlot.h in Headers */,
@@ -8383 +8414 @@
                                 0F2DD8121AB3D8BE00BBB8E8 /* DFGArgumentsEliminationPhase.h in Headers */,
                                 0F2DD8141AB3D8BE00BBB8E8 /* DFGArgumentsUtilities.h in Headers */,
+                                0F75A063200D261F0038E2CF /* Allocator.h in Headers */,
                                 0F485322187750560083B687 /* DFGArithMode.h in Headers */,
                                 0F05C3B41683CF9200BAF45B /* DFGArrayifySlowPathGenerator.h in Headers */,
@@ -8663 +8695 @@
                                 2AACE63D18CA5A0300ED0191 /* GCActivityCallback.h in Headers */,
                                 BCBE2CAE14E985AA000593AD /* GCAssertions.h in Headers */,
+                                0F75A060200D260B0038E2CF /* LocalAllocatorInlines.h in Headers */,
                                 0F766D3015A8DCE2008F363E /* GCAwareJITStubRoutine.h in Headers */,
                                 0FD0E5EA1E43D34D0006AB08 /* GCConductor.h in Headers */,
@@ -8747 +8780 @@
                                 0FB7F39B15ED8E4600F167B2 /* IndexingType.h in Headers */,
                                 14386A791DD6989C008652C4 /* IndirectEvalExecutable.h in Headers */,
+                                0F75A062200D261D0038E2CF /* AllocatorInlines.h in Headers */,
                                 0FBF92B91FD76FFF00AC28A8 /* InferredStructure.h in Headers */,
                                 0FBF92BA1FD7700400AC28A8 /* InferredStructureWatchpoint.h in Headers */,
@@ -8932 +8966 @@
                                 E33F50871B8449EF00413856 /* JSInternalPromiseConstructor.lut.h in Headers */,
                                 E33F50851B8437A000413856 /* JSInternalPromiseDeferred.h in Headers */,
+                                0F75A05E200D25F60038E2CF /* ThreadLocalCache.h in Headers */,
                                 E33F50751B8421C000413856 /* JSInternalPromisePrototype.h in Headers */,
                                 A503FA1E188E0FB000110F14 /* JSJavaScriptCallFramePrototype.h in Headers */,
@@ -9431 +9466 @@
                                 14BE7D3317135CF400D1807A /* WeakInlines.h in Headers */,
                                 A7CA3AE417DA41AE006538AF /* WeakMapConstructor.h in Headers */,
+                                0F75A0662013E4F10038E2CF /* JITAllocator.h in Headers */,
                                 E3A32BC71FC83147007D7E76 /* WeakMapImpl.h in Headers */,
                                 E393ADD81FE702D00022D681 /* WeakMapImplInlines.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -467 +467 @@
 
 heap/AlignedMemoryAllocator.cpp
+heap/Allocator.cpp
 heap/BlockDirectory.cpp
 heap/CellAttributes.cpp
@@ -501 +502 @@
 heap/JITStubRoutineSet.cpp
 heap/LargeAllocation.cpp
+heap/LocalAllocator.cpp
 heap/MachineStackMarker.cpp
 heap/MarkStack.cpp
@@ -519 +521 @@
 heap/SynchronousStopTheWorldMutatorScheduler.cpp
 heap/Synchronousness.cpp
+heap/ThreadLocalCache.cpp
+heap/ThreadLocalCacheLayout.cpp
 heap/VisitRaceKey.cpp
 heap/Weak.cpp

trunk/Source/JavaScriptCore/b3/B3LowerToAir.cpp

@@ -1278 +1278 @@
                 arg = tmp(value.value());
                 break;
+            case ValueRep::SomeRegisterWithClobber: {
+                Tmp dstTmp = m_code.newTmp(value.value()->resultBank());
+                append(relaxedMoveForType(value.value()->type()), immOrTmp(value.value()), dstTmp);
+                arg = dstTmp;
+                break;
+            }
             case ValueRep::LateRegister:
             case ValueRep::Register:

trunk/Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp

@@ -119 +119 @@
             return true;
         case ValueRep::SomeRegister:
+        case ValueRep::SomeRegisterWithClobber:
         case ValueRep::SomeEarlyRegister:
         case ValueRep::Register:

trunk/Source/JavaScriptCore/b3/B3StackmapSpecial.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -111 +111 @@
                 role = Arg::Use;
                 break;
+            case ValueRep::SomeRegisterWithClobber:
+                role = Arg::UseDef;
+                break;
             case ValueRep::LateRegister:
                 role = Arg::LateUse;
@@ -129 +132 @@
             // original stackmap value across the Special operation.
             if (!Arg::isLateUse(role) && optionalDefArgWidth && *optionalDefArgWidth < child.value()->resultWidth()) {
+                // The role can only be some kind of def if we did SomeRegisterWithClobber, which is
+                // only allowed for patchpoints. Patchpoints don't use the defArgWidth feature.
+                RELEASE_ASSERT(!Arg::isAnyDef(role));
+                
                 if (Arg::isWarmUse(role))
                     role = Arg::LateUse;
@@ -246 +253 @@
         return true;
     case ValueRep::SomeRegister:
+    case ValueRep::SomeRegisterWithClobber:
     case ValueRep::SomeEarlyRegister:
         return arg.isTmp();

trunk/Source/JavaScriptCore/b3/B3StackmapValue.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -54 +54 @@
 }
 
+void StackmapValue::appendSomeRegisterWithClobber(Value* value)
+{
+    append(ConstrainedValue(value, ValueRep::SomeRegisterWithClobber));
+}
+
 void StackmapValue::setConstrainedChild(unsigned index, const ConstrainedValue& constrainedValue)
 {

trunk/Source/JavaScriptCore/b3/B3StackmapValue.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -100 +100 @@
     // to SomeRegister.
     void appendSomeRegister(Value*);
-
+    void appendSomeRegisterWithClobber(Value*);
+    
     const Vector<ValueRep>& reps() const { return m_reps; }
 

trunk/Source/JavaScriptCore/b3/B3Validate.cpp

@@ -433 +433 @@
                 if (value->type() == Void)
                     VALIDATE(value->as<PatchpointValue>()->resultConstraint == ValueRep::WarmAny, ("At ", *value));
-                else {
-                    switch (value->as<PatchpointValue>()->resultConstraint.kind()) {
-                    case ValueRep::WarmAny:
-                    case ValueRep::SomeRegister:
-                    case ValueRep::SomeEarlyRegister:
-                    case ValueRep::Register:
-                    case ValueRep::StackArgument:
-                        break;
-                    default:
-                        VALIDATE(false, ("At ", *value));
-                        break;
-                    }
-                    
+                else
                     validateStackmapConstraint(value, ConstrainedValue(value, value->as<PatchpointValue>()->resultConstraint), ConstraintRole::Def);
-                }
                 validateStackmap(value);
                 break;
@@ -572 +559 @@
         switch (value.rep().kind()) {
         case ValueRep::WarmAny:
-        case ValueRep::ColdAny:
-        case ValueRep::LateColdAny:
         case ValueRep::SomeRegister:
         case ValueRep::StackArgument:
+            break;
+        case ValueRep::LateColdAny:
+        case ValueRep::ColdAny:
+            VALIDATE(role == ConstraintRole::Use, ("At ", *context, ": ", value));
+            break;
+        case ValueRep::SomeRegisterWithClobber:
+            VALIDATE(role == ConstraintRole::Use, ("At ", *context, ": ", value));
+            VALIDATE(context->as<PatchpointValue>(), ("At ", *context));
             break;
         case ValueRep::SomeEarlyRegister:
@@ -582 +575 @@
         case ValueRep::Register:
         case ValueRep::LateRegister:
+            if (value.rep().kind() == ValueRep::LateRegister)
+                VALIDATE(role == ConstraintRole::Use, ("At ", *context, ": ", value));
             if (value.rep().reg().isGPR())
                 VALIDATE(isInt(value.value()->type()), ("At ", *context, ": ", value));

trunk/Source/JavaScriptCore/b3/B3ValueRep.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -41 +41 @@
     case LateColdAny:
     case SomeRegister:
+    case SomeRegisterWithClobber:
     case SomeEarlyRegister:
     case Constant:
@@ -72 +73 @@
     case LateColdAny:
     case SomeRegister:
+    case SomeRegisterWithClobber:
     case SomeEarlyRegister:
         return;
@@ -176 +178 @@
         out.print("SomeRegister");
         return;
+    case ValueRep::SomeRegisterWithClobber:
+        out.print("SomeRegisterWithClobber");
+        return;
     case ValueRep::SomeEarlyRegister:
         out.print("SomeEarlyRegister");

trunk/Source/JavaScriptCore/b3/B3ValueRep.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -66 +66 @@
         // register that this claims to clobber!
         SomeRegister,
+        
+        // As an input representation, this means that B3 should pick some register but that this
+        // register is then cobbered with garbage. This only works for patchpoints.
+        SomeRegisterWithClobber,
 
         // As an input representation, this tells us that B3 should pick some register, but implies
@@ -108 +112 @@
         : m_kind(kind)
     {
-        ASSERT(kind == WarmAny || kind == ColdAny || kind == LateColdAny || kind == SomeRegister || kind == SomeEarlyRegister);
+        ASSERT(kind == WarmAny || kind == ColdAny || kind == LateColdAny || kind == SomeRegister || kind == SomeRegisterWithClobber || kind == SomeEarlyRegister);
     }
 

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -956 +956 @@
 
             if (allocatingInline) {
-                BlockDirectory* allocator = vm.jsValueGigacageAuxiliarySpace.allocatorFor(newSize, AllocatorForMode::AllocatorIfExists);
-
-                if (!allocator) {
-                    // Yuck, this case would suck!
-                    slowPath.append(jit.jump());
-                }
-
-                jit.move(CCallHelpers::TrustedImmPtr(allocator), scratchGPR2);
-                jit.emitAllocate(scratchGPR, allocator, scratchGPR2, scratchGPR3, slowPath);
+                Allocator allocator = vm.jsValueGigacageAuxiliarySpace.allocatorFor(newSize, AllocatorForMode::AllocatorIfExists);
+
+                jit.emitAllocate(scratchGPR, JITAllocator::constant(allocator), scratchGPR2, scratchGPR3, slowPath);
                 jit.addPtr(CCallHelpers::TrustedImm32(newSize + sizeof(IndexingHeader)), scratchGPR);
 

trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfile.h

@@ -44 +44 @@
 
     ObjectAllocationProfile()
-        : m_allocator(0)
-        , m_inlineCapacity(0)
+        : m_inlineCapacity(0)
     {
     }
@@ -64 +63 @@
     void clear()
     {
-        m_allocator = nullptr;
+        m_allocator = Allocator();
         m_structure.clear();
         m_inlineCapacity = 0;
@@ -78 +77 @@
     unsigned possibleDefaultPropertyCount(VM&, JSObject* prototype);
 
-    BlockDirectory* m_allocator; // Precomputed to make things easier for generated code.
+    Allocator m_allocator; // Precomputed to make things easier for generated code.
     WriteBarrier<Structure> m_structure;
     unsigned m_inlineCapacity;

trunk/Source/JavaScriptCore/bytecode/ObjectAllocationProfileInlines.h

@@ -54 +54 @@
         if (Structure* structure = executable->cachedPolyProtoStructure()) {
             RELEASE_ASSERT(structure->typeInfo().type() == FinalObjectType);
-            m_allocator = nullptr;
+            m_allocator = Allocator();
             m_structure.set(vm, owner, structure);
             m_inlineCapacity = structure->inlineCapacity();
@@ -100 +100 @@
 
     size_t allocationSize = JSFinalObject::allocationSize(inlineCapacity);
-    BlockDirectory* allocator = vm.cellSpace.allocatorForNonVirtual(allocationSize, AllocatorForMode::EnsureAllocator);
+    Allocator allocator = vm.cellSpace.allocatorForNonVirtual(allocationSize, AllocatorForMode::EnsureAllocator);
 
     // Take advantage of extra inline capacity available in the size class.
     if (allocator) {
-        size_t slop = (allocator->cellSize() - allocationSize) / sizeof(WriteBarrier<Unknown>);
+        size_t slop = (allocator.cellSize(vm.heap) - allocationSize) / sizeof(WriteBarrier<Unknown>);
         inlineCapacity += slop;
         if (inlineCapacity > JSFinalObject::maxInlineCapacity())
@@ -114 +114 @@
     if (isPolyProto) {
         ASSERT(structure->hasPolyProto());
-        m_allocator = nullptr;
+        m_allocator = Allocator();
         executable->setCachedPolyProtoStructure(vm, structure);
     } else {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -114 +114 @@
 
     if (size) {
-        if (BlockDirectory* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists)) {
-            m_jit.move(TrustedImmPtr(allocator), scratchGPR);
-            m_jit.emitAllocate(storageGPR, allocator, scratchGPR, scratch2GPR, slowCases);
+        if (Allocator allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists)) {
+            m_jit.emitAllocate(storageGPR, JITAllocator::constant(allocator), scratchGPR, scratch2GPR, slowCases);
             
             m_jit.addPtr(
@@ -129 +128 @@
 
     size_t allocationSize = JSFinalObject::allocationSize(inlineCapacity);
-    BlockDirectory* allocatorPtr = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
-    if (allocatorPtr) {
-        m_jit.move(TrustedImmPtr(allocatorPtr), scratchGPR);
+    Allocator allocator = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+    if (allocator) {
         uint32_t mask = WTF::computeIndexingMask(vectorLength);
-        emitAllocateJSObject(resultGPR, allocatorPtr, scratchGPR, TrustedImmPtr(structure), storageGPR, TrustedImm32(mask), scratch2GPR, slowCases);
+        emitAllocateJSObject(resultGPR, JITAllocator::constant(allocator), scratchGPR, TrustedImmPtr(structure), storageGPR, TrustedImm32(mask), scratch2GPR, slowCases);
         m_jit.emitInitializeInlineStorage(resultGPR, structure->inlineCapacity());
     } else
@@ -4209 +4207 @@
     
     JITCompiler::JumpList slowPath;
-    BlockDirectory* blockDirectory = subspaceFor<JSRopeString>(*m_jit.vm())->allocatorForNonVirtual(sizeof(JSRopeString), AllocatorForMode::AllocatorIfExists);
-    m_jit.move(TrustedImmPtr(blockDirectory), allocatorGPR);
-    emitAllocateJSCell(resultGPR, blockDirectory, allocatorGPR, TrustedImmPtr(m_jit.graph().registerStructure(m_jit.vm()->stringStructure.get())), scratchGPR, slowPath);
+    Allocator allocatorValue = subspaceFor<JSRopeString>(*m_jit.vm())->allocatorForNonVirtual(sizeof(JSRopeString), AllocatorForMode::AllocatorIfExists);
+    emitAllocateJSCell(resultGPR, JITAllocator::constant(allocatorValue), allocatorGPR, TrustedImmPtr(m_jit.graph().registerStructure(m_jit.vm()->stringStructure.get())), scratchGPR, slowPath);
         
     m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(resultGPR, JSString::offsetOfValue()));
@@ -8385 +8382 @@
     size_t size = initialOutOfLineCapacity * sizeof(JSValue);
 
-    BlockDirectory* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
+    Allocator allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
 
     if (!allocator || node->transition()->previous->couldHaveIndexingHeader()) {
@@ -8410 +8407 @@
     GPRReg scratchGPR3 = scratch3.gpr();
         
-    m_jit.move(TrustedImmPtr(allocator), scratchGPR2);
     JITCompiler::JumpList slowPath;
-    m_jit.emitAllocate(scratchGPR1, allocator, scratchGPR2, scratchGPR3, slowPath);
+    m_jit.emitAllocate(scratchGPR1, JITAllocator::constant(allocator), scratchGPR2, scratchGPR3, slowPath);
     m_jit.addPtr(JITCompiler::TrustedImm32(size + sizeof(IndexingHeader)), scratchGPR1);
     
@@ -8430 +8426 @@
     ASSERT(newSize == node->transition()->next->outOfLineCapacity() * sizeof(JSValue));
     
-    BlockDirectory* allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(newSize, AllocatorForMode::AllocatorIfExists);
+    Allocator allocator = m_jit.vm()->jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(newSize, AllocatorForMode::AllocatorIfExists);
 
     if (!allocator || node->transition()->previous->couldHaveIndexingHeader()) {
@@ -8458 +8454 @@
     
     JITCompiler::JumpList slowPath;
-    m_jit.move(TrustedImmPtr(allocator), scratchGPR2);
-    m_jit.emitAllocate(scratchGPR1, allocator, scratchGPR2, scratchGPR3, slowPath);
+    m_jit.emitAllocate(scratchGPR1, JITAllocator::constant(allocator), scratchGPR2, scratchGPR3, slowPath);
     
     m_jit.addPtr(JITCompiler::TrustedImm32(newSize + sizeof(IndexingHeader)), scratchGPR1);
@@ -11449 +11444 @@
     m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
     slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, rareDataGPR));
-    m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
+    m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorGPR);
     m_jit.loadPtr(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureGPR);
 
-    slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
+    slowPath.append(m_jit.branch32(MacroAssembler::Equal, allocatorGPR, TrustedImm32(Allocator().offset())));
 
     auto butterfly = TrustedImmPtr(nullptr);
     auto mask = TrustedImm32(0);
-    emitAllocateJSObject(resultGPR, nullptr, allocatorGPR, structureGPR, butterfly, mask, scratchGPR, slowPath);
+    emitAllocateJSObject(resultGPR, JITAllocator::variable(), allocatorGPR, structureGPR, butterfly, mask, scratchGPR, slowPath);
 
     m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
@@ -11482 +11477 @@
     RegisteredStructure structure = node->structure();
     size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
-    BlockDirectory* allocatorPtr = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
-
-    m_jit.move(TrustedImmPtr(allocatorPtr), allocatorGPR);
-    auto butterfly = TrustedImmPtr(nullptr);
-    auto mask = TrustedImm32(0);
-    emitAllocateJSObject(resultGPR, allocatorPtr, allocatorGPR, TrustedImmPtr(structure), butterfly, mask, scratchGPR, slowPath);
-    m_jit.emitInitializeInlineStorage(resultGPR, structure->inlineCapacity());
-    m_jit.mutatorFence(*m_jit.vm());
+    Allocator allocatorValue = subspaceFor<JSFinalObject>(*m_jit.vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+
+    if (!allocatorValue)
+        slowPath.append(m_jit.jump());
+    else {
+        auto butterfly = TrustedImmPtr(nullptr);
+        auto mask = TrustedImm32(0);
+        emitAllocateJSObject(resultGPR, JITAllocator::constant(allocatorValue), allocatorGPR, TrustedImmPtr(structure), butterfly, mask, scratchGPR, slowPath);
+        m_jit.emitInitializeInlineStorage(resultGPR, structure->inlineCapacity());
+        m_jit.mutatorFence(*m_jit.vm());
+    }
 
     addSlowPathGenerator(slowPathCall(slowPath, this, operationNewObject, resultGPR, structure));

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -3143 +3143 @@
     template <typename StructureType> // StructureType can be GPR or ImmPtr.
     void emitAllocateJSCell(
-        GPRReg resultGPR, BlockDirectory* allocator, GPRReg allocatorGPR, StructureType structure,
+        GPRReg resultGPR, const JITAllocator& allocator, GPRReg allocatorGPR, StructureType structure,
         GPRReg scratchGPR, MacroAssembler::JumpList& slowPath)
     {
@@ -3152 +3152 @@
     template <typename StructureType, typename StorageType, typename MaskType> // StructureType, StorageType and, MaskType can be GPR or ImmPtr.
     void emitAllocateJSObject(
-        GPRReg resultGPR, BlockDirectory* allocator, GPRReg allocatorGPR, StructureType structure,
+        GPRReg resultGPR, const JITAllocator& allocator, GPRReg allocatorGPR, StructureType structure,
         StorageType storage, MaskType mask, GPRReg scratchGPR, MacroAssembler::JumpList& slowPath)
     {

trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -132 +132 @@
 #define FOR_EACH_INDEXED_ABSTRACT_HEAP(macro) \
     macro(ArrayStorage_vector, ArrayStorage::vectorOffset(), sizeof(WriteBarrier<Unknown>)) \
-    macro(CompleteSubspace_allocatorForSizeStep, CompleteSubspace::offsetOfAllocatorForSizeStep(), sizeof(BlockDirectory*)) \
+    macro(CompleteSubspace_allocatorForSizeStep, CompleteSubspace::offsetOfAllocatorForSizeStep(), sizeof(Allocator)) \
     macro(DirectArguments_storage, DirectArguments::storageOffset(), sizeof(EncodedJSValue)) \
     macro(JSLexicalEnvironment_variables, JSLexicalEnvironment::offsetOfVariables(), sizeof(EncodedJSValue)) \

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -5877 +5877 @@
         LBasicBlock lastNext = m_out.insertNewBlocksBefore(slowPath);
         
-        BlockDirectory* allocator = subspaceFor<JSRopeString>(vm())->allocatorForNonVirtual(sizeof(JSRopeString), AllocatorForMode::AllocatorIfExists);
+        Allocator allocator = subspaceFor<JSRopeString>(vm())->allocatorForNonVirtual(sizeof(JSRopeString), AllocatorForMode::AllocatorIfExists);
         
         LValue result = allocateCell(
-            m_out.constIntPtr(allocator), vm().stringStructure.get(), slowPath);
+            m_out.constInt32(allocator.offset()), vm().stringStructure.get(), slowPath);
         
         m_out.storePtr(m_out.intPtrZero, result, m_heaps.JSString_value);
@@ -9910 +9910 @@
             if (structure->outOfLineCapacity() || hasIndexedProperties(structure->indexingType())) {
                 size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
-                BlockDirectory* cellAllocator = subspaceFor<JSFinalObject>(vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+                Allocator cellAllocator = subspaceFor<JSFinalObject>(vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
 
                 bool hasIndexingHeader = hasIndexedProperties(structure->indexingType());
@@ -9969 +9969 @@
                 LValue mask = computeButterflyIndexingMask(vectorLength);
                 LValue fastObjectValue = allocateObject(
-                    m_out.constIntPtr(cellAllocator), structure, fastButterflyValue, mask, slowPath);
+                    m_out.constInt32(cellAllocator.offset()), structure, fastButterflyValue, mask, slowPath);
 
                 ValueFromBlock fastObject = m_out.anchor(fastObjectValue);
@@ -10956 +10956 @@
 
         size_t sizeInBytes = sizeInValues * sizeof(JSValue);
-        BlockDirectory* allocator = vm().jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(sizeInBytes, AllocatorForMode::AllocatorIfExists);
-        LValue startOfStorage = allocateHeapCell(m_out.constIntPtr(allocator), slowPath);
+        Allocator allocator = vm().jsValueGigacageAuxiliarySpace.allocatorForNonVirtual(sizeInBytes, AllocatorForMode::AllocatorIfExists);
+        LValue startOfStorage = allocateHeapCell(m_out.constInt32(allocator.offset()), slowPath);
         ValueFromBlock fastButterfly = m_out.anchor(
             m_out.add(m_out.constIntPtr(sizeInBytes + sizeof(IndexingHeader)), startOfStorage));
@@ -11989 +11989 @@
     LValue allocateHeapCell(LValue allocator, LBasicBlock slowPath)
     {
-        BlockDirectory* actualAllocator = nullptr;
-        if (allocator->hasIntPtr())
-            actualAllocator = bitwise_cast<BlockDirectory*>(allocator->asIntPtr());
-        
-        if (!actualAllocator) {
+        JITAllocator actualAllocator;
+        if (allocator->hasInt32())
+            actualAllocator = JITAllocator::constant(Allocator(allocator->asInt32()));
+        else
+            actualAllocator = JITAllocator::variable();
+        
+        if (actualAllocator.isConstant()) {
+            if (!actualAllocator.allocator()) {
+                LBasicBlock haveAllocator = m_out.newBlock();
+                LBasicBlock lastNext = m_out.insertNewBlocksBefore(haveAllocator);
+                m_out.jump(slowPath);
+                m_out.appendTo(haveAllocator, lastNext);
+                return m_out.intPtrZero;
+            }
+        } else {
             // This means that either we know that the allocator is null or we don't know what the
             // allocator is. In either case, we need the null check.
             LBasicBlock haveAllocator = m_out.newBlock();
             LBasicBlock lastNext = m_out.insertNewBlocksBefore(haveAllocator);
-            m_out.branch(allocator, usually(haveAllocator), rarely(slowPath));
+            m_out.branch(
+                m_out.notEqual(allocator, m_out.constInt32(Allocator().offset())),
+                usually(haveAllocator), rarely(slowPath));
             m_out.appendTo(haveAllocator, lastNext);
         }
@@ -12008 +12020 @@
         PatchpointValue* patchpoint = m_out.patchpoint(pointerType());
         patchpoint->effects.terminal = true;
-        patchpoint->appendSomeRegister(allocator);
+        if (actualAllocator.isConstant())
+            patchpoint->numGPScratchRegisters++;
+        else
+            patchpoint->appendSomeRegisterWithClobber(allocator);
         patchpoint->numGPScratchRegisters++;
         patchpoint->resultConstraint = ValueRep::SomeEarlyRegister;
@@ -12018 +12033 @@
             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
                 CCallHelpers::JumpList jumpToSlowPath;
+                
+                GPRReg allocatorGPR;
+                if (actualAllocator.isConstant())
+                    allocatorGPR = params.gpScratch(1);
+                else
+                    allocatorGPR = params[1].gpr();
                 
                 // We use a patchpoint to emit the allocation path because whenever we mess with
@@ -12026 +12047 @@
                 // all of the compiler tiers.
                 jit.emitAllocateWithNonNullAllocator(
-                    params[0].gpr(), actualAllocator, params[1].gpr(), params.gpScratch(0),
+                    params[0].gpr(), actualAllocator, allocatorGPR, params.gpScratch(0),
                     jumpToSlowPath);
                 
@@ -12118 +12139 @@
         size_t size, StructureType structure, LValue butterfly, LValue indexingMask, LBasicBlock slowPath)
     {
-        BlockDirectory* allocator = subspaceFor<ClassType>(vm())->allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
-        return allocateObject(m_out.constIntPtr(allocator), structure, butterfly, indexingMask, slowPath);
+        Allocator allocator = subspaceFor<ClassType>(vm())->allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
+        return allocateObject(m_out.constInt32(allocator.offset()), structure, butterfly, indexingMask, slowPath);
     }
     
@@ -12138 +12159 @@
             size_t actualSize = size->asIntPtr();
             
-            BlockDirectory* actualAllocator = actualSubspace->allocatorForNonVirtual(actualSize, AllocatorForMode::AllocatorIfExists);
+            Allocator actualAllocator = actualSubspace->allocatorForNonVirtual(actualSize, AllocatorForMode::AllocatorIfExists);
             if (!actualAllocator) {
                 LBasicBlock continuation = m_out.newBlock();
@@ -12144 +12165 @@
                 m_out.jump(slowPath);
                 m_out.appendTo(continuation, lastNext);
-                return m_out.intPtrZero;
+                return m_out.int32Zero;
             }
             
-            return m_out.constIntPtr(actualAllocator);
+            return m_out.constInt32(actualAllocator.offset());
         }
         
@@ -12166 +12187 @@
         m_out.appendTo(continuation, lastNext);
         
-        return m_out.loadPtr(
+        return m_out.load32(
             m_out.baseIndex(
                 m_heaps.CompleteSubspace_allocatorForSizeStep,
@@ -12181 +12202 @@
         LValue size, RegisteredStructure structure, LValue butterfly, LValue butterflyIndexingMask, LBasicBlock slowPath)
     {
-        LValue allocator = allocatorForSize(
-            *subspaceFor<ClassType>(vm()), size, slowPath);
+        LValue allocator = allocatorForSize(*subspaceFor<ClassType>(vm()), size, slowPath);
         return allocateObject(allocator, structure, butterfly, butterflyIndexingMask, slowPath);
     }
@@ -12190 +12210 @@
         LValue size, Structure* structure, LBasicBlock slowPath)
     {
-        LValue allocator = allocatorForSize(
-            *subspaceFor<ClassType>(vm()), size, slowPath);
+        LValue allocator = allocatorForSize(*subspaceFor<ClassType>(vm()), size, slowPath);
         return allocateCell(allocator, structure, slowPath);
     }
@@ -12198 +12217 @@
     {
         size_t allocationSize = JSFinalObject::allocationSize(structure.get()->inlineCapacity());
-        BlockDirectory* allocator = subspaceFor<JSFinalObject>(vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+        Allocator allocator = subspaceFor<JSFinalObject>(vm())->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
         
         // FIXME: If the allocator is null, we could simply emit a normal C call to the allocator
@@ -12210 +12229 @@
         
         ValueFromBlock fastResult = m_out.anchor(allocateObject(
-            m_out.constIntPtr(allocator), structure, m_out.intPtrZero, m_out.int32Zero, slowPath));
+            m_out.constInt32(allocator.offset()), structure, m_out.intPtrZero, m_out.int32Zero, slowPath));
         
         m_out.jump(continuation);

trunk/Source/JavaScriptCore/heap/BlockDirectory.cpp

@@ -27 +27 @@
 #include "BlockDirectory.h"
 
-#include "AllocatingScope.h"
 #include "BlockDirectoryInlines.h"
 #include "GCActivityCallback.h"
@@ -40 +39 @@
 namespace JSC {
 
-static constexpr bool tradeDestructorBlocks = true;
-
 BlockDirectory::BlockDirectory(Heap* heap, size_t cellSize)
-    : m_freeList(cellSize)
-    , m_currentBlock(0)
-    , m_lastActiveBlock(0)
-    , m_cellSize(static_cast<unsigned>(cellSize))
+    : m_cellSize(static_cast<unsigned>(cellSize))
     , m_heap(heap)
 {
+    heap->threadLocalCacheLayout().allocateOffset(this);
 }
 
@@ -82 +77 @@
 }
 
-void BlockDirectory::didConsumeFreeList()
-{
-    if (m_currentBlock)
-        m_currentBlock->didConsumeFreeList();
-    
-    m_freeList.clear();
-    m_currentBlock = nullptr;
-}
-
-void* BlockDirectory::tryAllocateWithoutCollecting()
-{
-    SuperSamplerScope superSamplerScope(false);
-    
-    ASSERT(!m_currentBlock);
-    ASSERT(m_freeList.allocationWillFail());
-    
-    for (;;) {
-        m_allocationCursor = (m_canAllocateButNotEmpty | m_empty).findBit(m_allocationCursor, true);
-        if (m_allocationCursor >= m_blocks.size())
-            break;
-        
-        setIsCanAllocateButNotEmpty(NoLockingNecessary, m_allocationCursor, false);
-
-        if (void* result = tryAllocateIn(m_blocks[m_allocationCursor]))
-            return result;
-    }
-    
-    if (Options::stealEmptyBlocksFromOtherAllocators()
-        && (tradeDestructorBlocks || !needsDestruction())) {
-        if (MarkedBlock::Handle* block = m_subspace->findEmptyBlockToSteal()) {
-            RELEASE_ASSERT(block->alignedMemoryAllocator() == m_subspace->alignedMemoryAllocator());
-            
-            block->sweep(nullptr);
-            
-            // It's good that this clears canAllocateButNotEmpty as well as all other bits,
-            // because there is a remote chance that a block may have both canAllocateButNotEmpty
-            // and empty set at the same time.
-            block->removeFromDirectory();
-            addBlock(block);
-            return allocateIn(block);
-        }
-    }
-    
-    return nullptr;
-}
-
-void* BlockDirectory::allocateIn(MarkedBlock::Handle* block)
-{
-    void* result = tryAllocateIn(block);
-    RELEASE_ASSERT(result);
-    return result;
-}
-
-void* BlockDirectory::tryAllocateIn(MarkedBlock::Handle* block)
-{
-    ASSERT(block);
-    ASSERT(!block->isFreeListed());
-    
-    block->sweep(&m_freeList);
-    
-    // It's possible to stumble on a completely full block. Marking tries to retire these, but
-    // that algorithm is racy and may forget to do it sometimes.
-    if (m_freeList.allocationWillFail()) {
-        ASSERT(block->isFreeListed());
-        block->unsweepWithNoNewlyAllocated();
-        ASSERT(!block->isFreeListed());
-        ASSERT(!isEmpty(NoLockingNecessary, block));
-        ASSERT(!isCanAllocateButNotEmpty(NoLockingNecessary, block));
+MarkedBlock::Handle* BlockDirectory::findBlockForAllocation()
+{
+    m_allocationCursor = (m_canAllocateButNotEmpty | m_empty).findBit(m_allocationCursor, true);
+    if (m_allocationCursor >= m_blocks.size())
         return nullptr;
-    }
-    
-    m_currentBlock = block;
-    
-    void* result = m_freeList.allocate(
-        [] () -> HeapCell* {
-            RELEASE_ASSERT_NOT_REACHED();
-            return nullptr;
-        });
-    setIsEden(NoLockingNecessary, m_currentBlock, true);
-    markedSpace().didAllocateInBlock(m_currentBlock);
-    return result;
-}
-
-ALWAYS_INLINE void BlockDirectory::doTestCollectionsIfNeeded(GCDeferralContext* deferralContext)
-{
-    if (!Options::slowPathAllocsBetweenGCs())
-        return;
-
-    static unsigned allocationCount = 0;
-    if (!allocationCount) {
-        if (!m_heap->isDeferred()) {
-            if (deferralContext)
-                deferralContext->m_shouldGC = true;
-            else
-                m_heap->collectNow(Sync, CollectionScope::Full);
-        }
-    }
-    if (++allocationCount >= Options::slowPathAllocsBetweenGCs())
-        allocationCount = 0;
-}
-
-void* BlockDirectory::allocateSlowCase(GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
-{
-    SuperSamplerScope superSamplerScope(false);
-    ASSERT(m_heap->vm()->currentThreadIsHoldingAPILock());
-    doTestCollectionsIfNeeded(deferralContext);
-
-    ASSERT(!markedSpace().isIterating());
-    m_heap->didAllocate(m_freeList.originalSize());
-    
-    didConsumeFreeList();
-    
-    AllocatingScope helpingHeap(*m_heap);
-
-    m_heap->collectIfNecessaryOrDefer(deferralContext);
-    
-    // Goofy corner case: the GC called a callback and now this directory has a currentBlock. This only
-    // happens when running WebKit tests, which inject a callback into the GC's finalization.
-    if (UNLIKELY(m_currentBlock))
-        return allocate(deferralContext, failureMode);
-    
-    void* result = tryAllocateWithoutCollecting();
-    
-    if (LIKELY(result != 0))
-        return result;
-    
-    MarkedBlock::Handle* block = tryAllocateBlock();
-    if (!block) {
-        if (failureMode == AllocationFailureMode::Assert)
-            RELEASE_ASSERT_NOT_REACHED();
-        else
-            return nullptr;
-    }
-    addBlock(block);
-    result = allocateIn(block);
-    ASSERT(result);
-    return result;
+    
+    setIsCanAllocateButNotEmpty(NoLockingNecessary, m_allocationCursor, false);
+    return m_blocks[m_allocationCursor];
 }
 
@@ -314 +180 @@
     if (false)
         dataLog(RawPointer(this), ": BlockDirectory::stopAllocating!\n");
-    ASSERT(!m_lastActiveBlock);
-    if (!m_currentBlock) {
-        ASSERT(m_freeList.allocationWillFail());
-        return;
-    }
-    
-    m_currentBlock->stopAllocating(m_freeList);
-    m_lastActiveBlock = m_currentBlock;
-    m_currentBlock = 0;
-    m_freeList.clear();
+    m_localAllocators.forEach(
+        [&] (LocalAllocator* allocator) {
+            allocator->stopAllocating();
+        });
 }
 
 void BlockDirectory::prepareForAllocation()
 {
-    m_lastActiveBlock = nullptr;
-    m_currentBlock = nullptr;
-    m_freeList.clear();
-
+    m_localAllocators.forEach(
+        [&] (LocalAllocator* allocator) {
+            allocator->prepareForAllocation();
+        });
+    
     m_allocationCursor = 0;
     m_emptyCursor = 0;
@@ -345 +206 @@
 }
 
+void BlockDirectory::stopAllocatingForGood()
+{
+    if (false)
+        dataLog(RawPointer(this), ": BlockDirectory::stopAllocatingForGood!\n");
+    
+    m_localAllocators.forEach(
+        [&] (LocalAllocator* allocator) {
+            allocator->stopAllocatingForGood();
+        });
+
+    auto locker = holdLock(m_localAllocatorsLock);
+    while (!m_localAllocators.isEmpty())
+        m_localAllocators.begin()->remove();
+}
+
 void BlockDirectory::lastChanceToFinalize()
 {
@@ -355 +231 @@
 void BlockDirectory::resumeAllocating()
 {
-    if (!m_lastActiveBlock)
-        return;
-
-    m_lastActiveBlock->resumeAllocating(m_freeList);
-    m_currentBlock = m_lastActiveBlock;
-    m_lastActiveBlock = nullptr;
+    m_localAllocators.forEach(
+        [&] (LocalAllocator* allocator) {
+            allocator->resumeAllocating();
+        });
 }
 
@@ -380 +254 @@
     // vectors.
     
-    if (!tradeDestructorBlocks && needsDestruction()) {
+    if (!Options::tradeDestructorBlocks() && needsDestruction()) {
         ASSERT(m_empty.isEmpty());
         m_canAllocateButNotEmpty = m_live & ~m_markingRetired;
@@ -513 +387 @@
 }
 
+bool BlockDirectory::isFreeListedCell(const void* target)
+{
+    bool result = false;
+    m_localAllocators.forEach(
+        [&] (LocalAllocator* allocator) {
+            result |= allocator->isFreeListedCell(target);
+        });
+    return result;
+}
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/heap/BlockDirectory.h

@@ -27 +27 @@
 
 #include "AllocationFailureMode.h"
+#include "Allocator.h"
 #include "CellAttributes.h"
 #include "FreeList.h"
+#include "LocalAllocator.h"
 #include "MarkedBlock.h"
 #include <wtf/DataLog.h>
@@ -42 +44 @@
 class MarkedSpace;
 class LLIntOffsetsExtractor;
+class ThreadLocalCacheLayout;
 
 #define FOR_EACH_BLOCK_DIRECTORY_BIT(macro) \
@@ -77 +80 @@
 
 public:
-    static ptrdiff_t offsetOfFreeList();
-    static ptrdiff_t offsetOfCellSize();
-
     BlockDirectory(Heap*, size_t cellSize);
     void setSubspace(Subspace*);
@@ -85 +85 @@
     void prepareForAllocation();
     void stopAllocating();
+    void stopAllocatingForGood();
     void resumeAllocating();
     void beginMarkingForFullCollection();
@@ -98 +99 @@
     DestructionMode destruction() const { return m_attributes.destruction; }
     HeapCell::Kind cellKind() const { return m_attributes.cellKind; }
-    void* allocate(GCDeferralContext*, AllocationFailureMode);
     Heap* heap() { return m_heap; }
 
-    bool isFreeListedCell(const void* target) const;
+    bool isFreeListedCell(const void* target);
 
     template<typename Functor> void forEachBlock(const Functor&);
@@ -158 +158 @@
     MarkedSpace& markedSpace() const;
     
-    const FreeList& freeList() const { return m_freeList; }
+    Allocator allocator() const { return Allocator(m_tlcOffset); }
     
     void dump(PrintStream&) const;
@@ -164 +164 @@
     
 private:
+    friend class LocalAllocator;
     friend class IsoCellSet;
     friend class MarkedBlock;
-    
-    JS_EXPORT_PRIVATE void* allocateSlowCase(GCDeferralContext*, AllocationFailureMode failureMode);
-    void didConsumeFreeList();
-    void* tryAllocateWithoutCollecting();
+    friend class ThreadLocalCacheLayout;
+    
+    MarkedBlock::Handle* findBlockForAllocation();
+    
     MarkedBlock::Handle* tryAllocateBlock();
-    void* tryAllocateIn(MarkedBlock::Handle*);
-    void* allocateIn(MarkedBlock::Handle*);
-    ALWAYS_INLINE void doTestCollectionsIfNeeded(GCDeferralContext*);
-    
-    FreeList m_freeList;
     
     Vector<MarkedBlock::Handle*> m_blocks;
@@ -194 +190 @@
     size_t m_unsweptCursor { 0 }; // Points to the next block that is a candidate for incremental sweeping.
     
-    MarkedBlock::Handle* m_currentBlock;
-    MarkedBlock::Handle* m_lastActiveBlock;
-
-    Lock m_lock;
     unsigned m_cellSize;
     CellAttributes m_attributes;
@@ -207 +199 @@
     BlockDirectory* m_nextDirectoryInSubspace { nullptr };
     BlockDirectory* m_nextDirectoryInAlignedMemoryAllocator { nullptr };
+    
+    Lock m_localAllocatorsLock;
+    size_t m_tlcOffset;
+    SentinelLinkedList<LocalAllocator, BasicRawSentinelNode<LocalAllocator>> m_localAllocators;
 };
 
-inline ptrdiff_t BlockDirectory::offsetOfFreeList()
-{
-    return OBJECT_OFFSETOF(BlockDirectory, m_freeList);
-}
-
-inline ptrdiff_t BlockDirectory::offsetOfCellSize()
-{
-    return OBJECT_OFFSETOF(BlockDirectory, m_cellSize);
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/heap/BlockDirectoryInlines.h

@@ -32 +32 @@
 namespace JSC {
 
-inline bool BlockDirectory::isFreeListedCell(const void* target) const
-{
-    return m_freeList.contains(bitwise_cast<HeapCell*>(target));
-}
-
-ALWAYS_INLINE void* BlockDirectory::allocate(GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
-{
-    return m_freeList.allocate(
-        [&] () -> HeapCell* {
-            sanitizeStackForVM(heap()->vm());
-            return static_cast<HeapCell*>(allocateSlowCase(deferralContext, failureMode));
-        });
-}
-
 template <typename Functor> inline void BlockDirectory::forEachBlock(const Functor& functor)
 {

trunk/Source/JavaScriptCore/heap/CompleteSubspace.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #include "Subspace.h"
 
+#include "AlignedMemoryAllocator.h"
+#include "AllocatorInlines.h"
 #include "BlockDirectoryInlines.h"
 #include "JSCInlines.h"
+#include "LocalAllocatorInlines.h"
 #include "MarkedBlockInlines.h"
 #include "PreventCollectionScope.h"
 #include "SubspaceInlines.h"
+#include "ThreadLocalCacheInlines.h"
 
 namespace JSC {
@@ -39 +43 @@
 {
     initialize(heapCellType, alignedMemoryAllocator);
-    for (size_t i = MarkedSpace::numSizeClasses; i--;)
-        m_allocatorForSizeStep[i] = nullptr;
 }
 
@@ -47 +49 @@
 }
 
-BlockDirectory* CompleteSubspace::allocatorFor(size_t size, AllocatorForMode mode)
+Allocator CompleteSubspace::allocatorFor(size_t size, AllocatorForMode mode)
 {
     return allocatorForNonVirtual(size, mode);
 }
 
-void* CompleteSubspace::allocate(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+void* CompleteSubspace::allocate(VM& vm, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
 {
-    return allocateNonVirtual(size, deferralContext, failureMode);
+    return allocateNonVirtual(vm, size, deferralContext, failureMode);
 }
 
-void* CompleteSubspace::allocateNonVirtual(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+void* CompleteSubspace::allocateNonVirtual(VM& vm, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
 {
-    void *result;
-    if (BlockDirectory* allocator = allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists))
-        result = allocator->allocate(deferralContext, failureMode);
-    else
-        result = allocateSlow(size, deferralContext, failureMode);
-    return result;
+    Allocator allocator = allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
+    return allocator.tryAllocate(
+        vm, deferralContext, failureMode,
+        [&] () {
+            return allocateSlow(vm, size, deferralContext, failureMode);
+        });
 }
 
-BlockDirectory* CompleteSubspace::allocatorForSlow(size_t size)
+Allocator CompleteSubspace::allocatorForSlow(size_t size)
 {
     size_t index = MarkedSpace::sizeClassToIndex(size);
     size_t sizeClass = MarkedSpace::s_sizeClassForSizeStep[index];
     if (!sizeClass)
-        return nullptr;
+        return Allocator();
     
     // This is written in such a way that it's OK for the JIT threads to end up here if they want
@@ -83 +85 @@
     // enough: it will have 
     auto locker = holdLock(m_space.directoryLock());
-    if (BlockDirectory* allocator = m_allocatorForSizeStep[index])
+    if (Allocator allocator = m_allocatorForSizeStep[index])
         return allocator;
 
@@ -99 +101 @@
             break;
 
-        m_allocatorForSizeStep[index] = directory;
+        m_allocatorForSizeStep[index] = directory->allocator();
         
         if (!index--)
@@ -108 +110 @@
     WTF::storeStoreFence();
     m_firstDirectory = directory;
-    return directory;
+    return directory->allocator();
 }
 
-void* CompleteSubspace::allocateSlow(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+void* CompleteSubspace::allocateSlow(VM& vm, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
 {
-    void* result = tryAllocateSlow(size, deferralContext);
+    void* result = tryAllocateSlow(vm, size, deferralContext);
     if (failureMode == AllocationFailureMode::Assert)
         RELEASE_ASSERT(result);
@@ -119 +121 @@
 }
 
-void* CompleteSubspace::tryAllocateSlow(size_t size, GCDeferralContext* deferralContext)
+void* CompleteSubspace::tryAllocateSlow(VM& vm, size_t size, GCDeferralContext* deferralContext)
 {
-    sanitizeStackForVM(m_space.heap()->vm());
+    sanitizeStackForVM(&vm);
     
-    if (BlockDirectory* allocator = allocatorFor(size, AllocatorForMode::EnsureAllocator))
-        return allocator->allocate(deferralContext, AllocationFailureMode::ReturnNull);
+    if (Allocator allocator = allocatorFor(size, AllocatorForMode::EnsureAllocator))
+        return allocator.allocate(vm, deferralContext, AllocationFailureMode::ReturnNull);
     
     if (size <= Options::largeAllocationCutoff()
@@ -133 +135 @@
     }
     
-    m_space.heap()->collectIfNecessaryOrDefer(deferralContext);
+    vm.heap.collectIfNecessaryOrDefer(deferralContext);
     
     size = WTF::roundUpToMultipleOf<MarkedSpace::sizeStep>(size);
-    LargeAllocation* allocation = LargeAllocation::tryCreate(*m_space.m_heap, size, this);
+    LargeAllocation* allocation = LargeAllocation::tryCreate(vm.heap, size, this);
     if (!allocation)
         return nullptr;
     
     m_space.m_largeAllocations.append(allocation);
-    m_space.m_heap->didAllocate(size);
+    vm.heap.didAllocate(size);
     m_space.m_capacity += size;
     

trunk/Source/JavaScriptCore/heap/CompleteSubspace.h

@@ -40 +40 @@
     // FIXME: Currently subspaces speak of BlockDirectories as "allocators", but that's temporary.
     // https://bugs.webkit.org/show_bug.cgi?id=181559
-    BlockDirectory* allocatorFor(size_t, AllocatorForMode) override;
-    BlockDirectory* allocatorForNonVirtual(size_t, AllocatorForMode);
+    Allocator allocatorFor(size_t, AllocatorForMode) override;
+    Allocator allocatorForNonVirtual(size_t, AllocatorForMode);
     
-    void* allocate(size_t, GCDeferralContext*, AllocationFailureMode) override;
-    JS_EXPORT_PRIVATE void* allocateNonVirtual(size_t, GCDeferralContext*, AllocationFailureMode);
+    void* allocate(VM&, size_t, GCDeferralContext*, AllocationFailureMode) override;
+    JS_EXPORT_PRIVATE void* allocateNonVirtual(VM&, size_t, GCDeferralContext*, AllocationFailureMode);
     
     static ptrdiff_t offsetOfAllocatorForSizeStep() { return OBJECT_OFFSETOF(CompleteSubspace, m_allocatorForSizeStep); }
     
-    BlockDirectory** allocatorForSizeStep() { return &m_allocatorForSizeStep[0]; }
+    Allocator* allocatorForSizeStep() { return &m_allocatorForSizeStep[0]; }
 
 private:
-    BlockDirectory* allocatorForSlow(size_t);
+    Allocator allocatorForSlow(size_t);
     
     // These slow paths are concerned with large allocations and allocator creation.
-    void* allocateSlow(size_t, GCDeferralContext*, AllocationFailureMode);
-    void* tryAllocateSlow(size_t, GCDeferralContext*);
+    void* allocateSlow(VM&, size_t, GCDeferralContext*, AllocationFailureMode);
+    void* tryAllocateSlow(VM&, size_t, GCDeferralContext*);
     
-    std::array<BlockDirectory*, MarkedSpace::numSizeClasses> m_allocatorForSizeStep;
+    std::array<Allocator, MarkedSpace::numSizeClasses> m_allocatorForSizeStep;
     Vector<std::unique_ptr<BlockDirectory>> m_directories;
 };
 
-ALWAYS_INLINE BlockDirectory* CompleteSubspace::allocatorForNonVirtual(size_t size, AllocatorForMode mode)
+ALWAYS_INLINE Allocator CompleteSubspace::allocatorForNonVirtual(size_t size, AllocatorForMode mode)
 {
     if (size <= MarkedSpace::largeCutoff) {
-        BlockDirectory* result = m_allocatorForSizeStep[MarkedSpace::sizeClassToIndex(size)];
+        Allocator result = m_allocatorForSizeStep[MarkedSpace::sizeClassToIndex(size)];
         switch (mode) {
         case AllocatorForMode::MustAlreadyHaveAllocator:
@@ -79 +79 @@
     }
     RELEASE_ASSERT(mode != AllocatorForMode::MustAlreadyHaveAllocator);
-    return nullptr;
+    return Allocator();
 }
 

trunk/Source/JavaScriptCore/heap/FreeList.h

@@ -58 +58 @@
 
 class FreeList {
-    WTF_MAKE_NONCOPYABLE(FreeList);
-    
 public:
     FreeList(unsigned cellSize);

trunk/Source/JavaScriptCore/heap/GCDeferralContext.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 class Heap;
 class BlockDirectory;
+class LocalAllocator;
 
 class GCDeferralContext {
     friend class Heap;
     friend class BlockDirectory;
+    friend class LocalAllocator;
 public:
     inline GCDeferralContext(Heap&);

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -69 +69 @@
 #include "SweepingScope.h"
 #include "SynchronousStopTheWorldMutatorScheduler.h"
+#include "ThreadLocalCacheLayout.h"
 #include "TypeProfiler.h"
 #include "TypeProfilerLog.h"
@@ -313 +314 @@
     , m_threadLock(Box<Lock>::create())
     , m_threadCondition(AutomaticThreadCondition::create())
+    , m_threadLocalCacheLayout(std::make_unique<ThreadLocalCacheLayout>())
 {
     m_worldState.store(0);
@@ -447 +449 @@
     
     m_arrayBuffers.lastChanceToFinalize();
-    m_objectSpace.stopAllocating();
+    m_objectSpace.stopAllocatingForGood();
     m_objectSpace.lastChanceToFinalize();
     releaseDelayedReleasedObjects();

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -85 +85 @@
 class StopIfNecessaryTimer;
 class SweepingScope;
+class ThreadLocalCacheLayout;
 class VM;
 class WeakGCMapBase;
@@ -373 +374 @@
     template<typename Func>
     void forEachSlotVisitor(const Func&);
+    
+    ThreadLocalCacheLayout& threadLocalCacheLayout() { return *m_threadLocalCacheLayout; }
 
 private:
@@ -715 +718 @@
     CurrentThreadState* m_currentThreadState { nullptr };
     WTF::Thread* m_currentThread { nullptr }; // It's OK if this becomes a dangling pointer.
+    
+    std::unique_ptr<ThreadLocalCacheLayout> m_threadLocalCacheLayout;
 };
 

trunk/Source/JavaScriptCore/heap/IsoCellSet.h

@@ -26 +26 @@
 #pragma once
 
+#include "MarkedBlock.h"
 #include <wtf/Bitmap.h>
 #include <wtf/ConcurrentVector.h>
 #include <wtf/FastBitVector.h>
+#include <wtf/SentinelLinkedList.h>
+#include <wtf/SharedTask.h>
 
 namespace JSC {

trunk/Source/JavaScriptCore/heap/IsoSubspace.cpp

@@ -27 +27 @@
 #include "IsoSubspace.h"
 
+#include "AllocatorInlines.h"
 #include "BlockDirectoryInlines.h"
 #include "IsoAlignedMemoryAllocator.h"
+#include "LocalAllocatorInlines.h"
+#include "ThreadLocalCacheInlines.h"
 
 namespace JSC {
@@ -36 +39 @@
     , m_size(size)
     , m_directory(&heap, WTF::roundUpToMultipleOf<MarkedBlock::atomSize>(size))
+    , m_allocator(m_directory.allocator())
     , m_isoAlignedMemoryAllocator(std::make_unique<IsoAlignedMemoryAllocator>())
 {
@@ -51 +55 @@
 }
 
-BlockDirectory* IsoSubspace::allocatorFor(size_t size, AllocatorForMode mode)
+Allocator IsoSubspace::allocatorFor(size_t size, AllocatorForMode mode)
 {
     return allocatorForNonVirtual(size, mode);
 }
 
-void* IsoSubspace::allocate(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+void* IsoSubspace::allocate(VM& vm, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
 {
-    return allocateNonVirtual(size, deferralContext, failureMode);
+    return allocateNonVirtual(vm, size, deferralContext, failureMode);
 }
 
-void* IsoSubspace::allocateNonVirtual(size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
+void* IsoSubspace::allocateNonVirtual(VM& vm, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
 {
     RELEASE_ASSERT(size == this->size());
-    void* result = m_directory.allocate(deferralContext, failureMode);
+    void* result = m_allocator.allocate(vm, deferralContext, failureMode);
     return result;
 }

trunk/Source/JavaScriptCore/heap/IsoSubspace.h

@@ -42 +42 @@
     size_t size() const { return m_size; }
 
-    BlockDirectory* allocatorFor(size_t, AllocatorForMode) override;
-    BlockDirectory* allocatorForNonVirtual(size_t, AllocatorForMode);
+    Allocator allocatorFor(size_t, AllocatorForMode) override;
+    Allocator allocatorForNonVirtual(size_t, AllocatorForMode);
 
-    void* allocate(size_t, GCDeferralContext*, AllocationFailureMode) override;
-    JS_EXPORT_PRIVATE void* allocateNonVirtual(size_t, GCDeferralContext*, AllocationFailureMode);
+    void* allocate(VM&, size_t, GCDeferralContext*, AllocationFailureMode) override;
+    JS_EXPORT_PRIVATE void* allocateNonVirtual(VM&, size_t, GCDeferralContext*, AllocationFailureMode);
 
 private:
@@ -57 +57 @@
     size_t m_size;
     BlockDirectory m_directory;
+    Allocator m_allocator;
     std::unique_ptr<IsoAlignedMemoryAllocator> m_isoAlignedMemoryAllocator;
     SentinelLinkedList<IsoCellSet, BasicRawSentinelNode<IsoCellSet>> m_cellSets;
 };
 
-inline BlockDirectory* IsoSubspace::allocatorForNonVirtual(size_t size, AllocatorForMode)
+inline Allocator IsoSubspace::allocatorForNonVirtual(size_t size, AllocatorForMode)
 {
     RELEASE_ASSERT(size == this->size());
-    return &m_directory;
+    return m_allocator;
 }
 

trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -400 +400 @@
         return;
 
-    RELEASE_ASSERT(!m_isFreeListed);
-    RELEASE_ASSERT(!isAllocated());
+    if (m_isFreeListed) {
+        dataLog("FATAL: ", RawPointer(this), "->sweep: block is free-listed.\n");
+        RELEASE_ASSERT_NOT_REACHED();
+    }
+    
+    if (isAllocated()) {
+        dataLog("FATAL: ", RawPointer(this), "->sweep: block is allocated.\n");
+        RELEASE_ASSERT_NOT_REACHED();
+    }
     
     if (space()->isMarking())

trunk/Source/JavaScriptCore/heap/MarkedSpace.cpp

@@ -303 +303 @@
 }
 
+void MarkedSpace::stopAllocatingForGood()
+{
+    ASSERT(!isIterating());
+    forEachDirectory(
+        [&] (BlockDirectory& directory) -> IterationStatus {
+            directory.stopAllocatingForGood();
+            return IterationStatus::Continue;
+        });
+}
+
 void MarkedSpace::prepareForConservativeScan()
 {

trunk/Source/JavaScriptCore/heap/MarkedSpace.h

@@ -95 +95 @@
     Heap* heap() const { return m_heap; }
     
-    void lastChanceToFinalize(); // You must call stopAllocating before you call this.
+    void lastChanceToFinalize(); // Must call stopAllocatingForGood first.
     void freeMemory();
 
@@ -112 +112 @@
 
     void stopAllocating();
+    void stopAllocatingForGood();
     void resumeAllocating(); // If we just stopped allocation but we didn't do a collection, we need to resume allocation.
     

trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp

@@ -38 +38 @@
 #include "JSString.h"
 #include "JSCInlines.h"
+#include "MarkingConstraintSolver.h"
 #include "SlotVisitorInlines.h"
 #include "StopIfNecessaryTimer.h"

trunk/Source/JavaScriptCore/heap/SlotVisitor.h

@@ -32 +32 @@
 #include <wtf/Forward.h>
 #include <wtf/MonotonicTime.h>
+#include <wtf/SharedTask.h>
 #include <wtf/text/CString.h>
 
@@ -42 +43 @@
 class HeapSnapshotBuilder;
 class MarkedBlock;
+class MarkingConstraint;
 class MarkingConstraintSolver;
 class UnconditionalFinalizer;

trunk/Source/JavaScriptCore/heap/Subspace.h

@@ -28 +28 @@
 #include "AllocationFailureMode.h"
 #include "AllocatorForMode.h"
+#include "Allocator.h"
 #include "MarkedBlock.h"
 #include "MarkedSpace.h"
@@ -57 +58 @@
     void destroy(VM&, JSCell*);
 
-    virtual BlockDirectory* allocatorFor(size_t, AllocatorForMode) = 0;
-    virtual void* allocate(size_t, GCDeferralContext*, AllocationFailureMode) = 0;
+    virtual Allocator allocatorFor(size_t, AllocatorForMode) = 0;
+    virtual void* allocate(VM&, size_t, GCDeferralContext*, AllocationFailureMode) = 0;
     
     void prepareForAllocation();

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -582 +582 @@
 }
 #endif
+
+void AssemblyHelpers::emitAllocateWithNonNullAllocator(GPRReg resultGPR, const JITAllocator& allocator, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList& slowPath)
+{
+    // NOTE: This is carefully written so that we can call it while we disallow scratch
+    // register usage.
+        
+    if (Options::forceGCSlowPaths()) {
+        slowPath.append(jump());
+        return;
+    }
+    
+    Jump popPath;
+    Jump done;
+    
+#if ENABLE(FAST_TLS_JIT)
+    loadFromTLSPtr(fastTLSOffsetForKey(WTF_GC_TLC_KEY), scratchGPR);
+#else
+    loadPtr(&vm().threadLocalCacheData, scratchGPR);
+#endif
+    if (!isX86())
+        load32(Address(scratchGPR, ThreadLocalCache::offsetOfSizeInData()), resultGPR);
+    if (allocator.isConstant()) {
+        if (isX86())
+            slowPath.append(branch32(BelowOrEqual, Address(scratchGPR, ThreadLocalCache::offsetOfSizeInData()), TrustedImm32(allocator.allocator().offset())));
+        else
+            slowPath.append(branch32(BelowOrEqual, resultGPR, TrustedImm32(allocator.allocator().offset())));
+        addPtr(TrustedImm32(ThreadLocalCache::offsetOfFirstAllocatorInData() + allocator.allocator().offset()), scratchGPR, allocatorGPR);
+    } else {
+        if (isX86())
+            slowPath.append(branch32(BelowOrEqual, Address(scratchGPR, ThreadLocalCache::offsetOfSizeInData()), allocatorGPR));
+        else
+            slowPath.append(branch32(BelowOrEqual, resultGPR, allocatorGPR));
+        addPtr(TrustedImm32(ThreadLocalCache::offsetOfFirstAllocatorInData()), allocatorGPR);
+        addPtr(scratchGPR, allocatorGPR);
+    }
+
+    load32(Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfRemaining()), resultGPR);
+    popPath = branchTest32(Zero, resultGPR);
+    if (allocator.isConstant())
+        add32(TrustedImm32(-allocator.allocator().cellSize(vm().heap)), resultGPR, scratchGPR);
+    else {
+        if (isX86()) {
+            move(resultGPR, scratchGPR);
+            sub32(Address(allocatorGPR, LocalAllocator::offsetOfCellSize()), scratchGPR);
+        } else {
+            load32(Address(allocatorGPR, LocalAllocator::offsetOfCellSize()), scratchGPR);
+            sub32(resultGPR, scratchGPR, scratchGPR);
+        }
+    }
+    negPtr(resultGPR);
+    store32(scratchGPR, Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfRemaining()));
+    Address payloadEndAddr = Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfPayloadEnd());
+    if (isX86())
+        addPtr(payloadEndAddr, resultGPR);
+    else {
+        loadPtr(payloadEndAddr, scratchGPR);
+        addPtr(scratchGPR, resultGPR);
+    }
+        
+    done = jump();
+        
+    popPath.link(this);
+        
+    loadPtr(Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfScrambledHead()), resultGPR);
+    if (isX86())
+        xorPtr(Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfSecret()), resultGPR);
+    else {
+        loadPtr(Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfSecret()), scratchGPR);
+        xorPtr(scratchGPR, resultGPR);
+    }
+    slowPath.append(branchTestPtr(Zero, resultGPR));
+        
+    // The object is half-allocated: we have what we know is a fresh object, but
+    // it's still on the GC's free list.
+    loadPtr(Address(resultGPR), scratchGPR);
+    storePtr(scratchGPR, Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfScrambledHead()));
+        
+    done.link(this);
+}
+
+void AssemblyHelpers::emitAllocate(GPRReg resultGPR, const JITAllocator& allocator, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList& slowPath)
+{
+    if (allocator.isConstant()) {
+        if (!allocator.allocator()) {
+            slowPath.append(jump());
+            return;
+        }
+    }
+    emitAllocateWithNonNullAllocator(resultGPR, allocator, allocatorGPR, scratchGPR, slowPath);
+}
+
+void AssemblyHelpers::emitAllocateVariableSized(GPRReg resultGPR, CompleteSubspace& subspace, GPRReg allocationSize, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath)
+{
+    static_assert(!(MarkedSpace::sizeStep & (MarkedSpace::sizeStep - 1)), "MarkedSpace::sizeStep must be a power of two.");
+    
+    unsigned stepShift = getLSBSet(MarkedSpace::sizeStep);
+    
+    add32(TrustedImm32(MarkedSpace::sizeStep - 1), allocationSize, scratchGPR1);
+    urshift32(TrustedImm32(stepShift), scratchGPR1);
+    slowPath.append(branch32(Above, scratchGPR1, TrustedImm32(MarkedSpace::largeCutoff >> stepShift)));
+    move(TrustedImmPtr(subspace.allocatorForSizeStep() - 1), scratchGPR2);
+    load32(BaseIndex(scratchGPR2, scratchGPR1, TimesFour), scratchGPR1);
+    
+    emitAllocate(resultGPR, JITAllocator::variable(), scratchGPR1, scratchGPR2, slowPath);
+}
 
 void AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer(EntryFrame*& topEntryFrame)

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 #include "Heap.h"
 #include "InlineCallFrame.h"
+#include "JITAllocator.h"
 #include "JITCode.h"
 #include "MacroAssembler.h"
@@ -60 +61 @@
 
     CodeBlock* codeBlock() { return m_codeBlock; }
+    VM& vm() { return *m_codeBlock->vm(); }
     AssemblerType_T& assembler() { return m_assembler; }
 
@@ -1492 +1494 @@
     // Call this if you know that the value held in allocatorGPR is non-null. This DOES NOT mean
     // that allocator is non-null; allocator can be null as a signal that we don't know what the
-    // value of allocatorGPR is.
-    void emitAllocateWithNonNullAllocator(GPRReg resultGPR, BlockDirectory* allocator, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList& slowPath)
-    {
-        // NOTE: This is carefully written so that we can call it while we disallow scratch
-        // register usage.
-        
-        if (Options::forceGCSlowPaths()) {
-            slowPath.append(jump());
-            return;
-        }
-        
-        Jump popPath;
-        Jump done;
-        
-        load32(Address(allocatorGPR, BlockDirectory::offsetOfFreeList() + FreeList::offsetOfRemaining()), resultGPR);
-        popPath = branchTest32(Zero, resultGPR);
-        if (allocator)
-            add32(TrustedImm32(-allocator->cellSize()), resultGPR, scratchGPR);
-        else {
-            if (isX86()) {
-                move(resultGPR, scratchGPR);
-                sub32(Address(allocatorGPR, BlockDirectory::offsetOfCellSize()), scratchGPR);
-            } else {
-                load32(Address(allocatorGPR, BlockDirectory::offsetOfCellSize()), scratchGPR);
-                sub32(resultGPR, scratchGPR, scratchGPR);
-            }
-        }
-        negPtr(resultGPR);
-        store32(scratchGPR, Address(allocatorGPR, BlockDirectory::offsetOfFreeList() + FreeList::offsetOfRemaining()));
-        Address payloadEndAddr = Address(allocatorGPR, BlockDirectory::offsetOfFreeList() + FreeList::offsetOfPayloadEnd());
-        if (isX86())
-            addPtr(payloadEndAddr, resultGPR);
-        else {
-            loadPtr(payloadEndAddr, scratchGPR);
-            addPtr(scratchGPR, resultGPR);
-        }
-        
-        done = jump();
-        
-        popPath.link(this);
-        
-        loadPtr(Address(allocatorGPR, BlockDirectory::offsetOfFreeList() + FreeList::offsetOfScrambledHead()), resultGPR);
-        if (isX86())
-            xorPtr(Address(allocatorGPR, BlockDirectory::offsetOfFreeList() + FreeList::offsetOfSecret()), resultGPR);
-        else {
-            loadPtr(Address(allocatorGPR, BlockDirectory::offsetOfFreeList() + FreeList::offsetOfSecret()), scratchGPR);
-            xorPtr(scratchGPR, resultGPR);
-        }
-        slowPath.append(branchTestPtr(Zero, resultGPR));
-        
-        // The object is half-allocated: we have what we know is a fresh object, but
-        // it's still on the GC's free list.
-        loadPtr(Address(resultGPR), scratchGPR);
-        storePtr(scratchGPR, Address(allocatorGPR, BlockDirectory::offsetOfFreeList() + FreeList::offsetOfScrambledHead()));
-        
-        done.link(this);
-    }
-    
-    void emitAllocate(GPRReg resultGPR, BlockDirectory* allocator, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList& slowPath)
-    {
-        if (!allocator)
-            slowPath.append(branchTestPtr(Zero, allocatorGPR));
-        emitAllocateWithNonNullAllocator(resultGPR, allocator, allocatorGPR, scratchGPR, slowPath);
-    }
+    // value of allocatorGPR is. Additionally, if the allocator is not null, then there is no need
+    // to populate allocatorGPR - this code will ignore the contents of allocatorGPR.
+    void emitAllocateWithNonNullAllocator(GPRReg resultGPR, const JITAllocator& allocator, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList& slowPath);
+    
+    void emitAllocate(GPRReg resultGPR, const JITAllocator& allocator, GPRReg allocatorGPR, GPRReg scratchGPR, JumpList& slowPath);
     
     template<typename StructureType>
-    void emitAllocateJSCell(GPRReg resultGPR, BlockDirectory* allocator, GPRReg allocatorGPR, StructureType structure, GPRReg scratchGPR, JumpList& slowPath)
+    void emitAllocateJSCell(GPRReg resultGPR, const JITAllocator& allocator, GPRReg allocatorGPR, StructureType structure, GPRReg scratchGPR, JumpList& slowPath)
     {
         emitAllocate(resultGPR, allocator, allocatorGPR, scratchGPR, slowPath);
@@ -1565 +1508 @@
     
     template<typename StructureType, typename StorageType, typename MaskType>
-    void emitAllocateJSObject(GPRReg resultGPR, BlockDirectory* allocator, GPRReg allocatorGPR, StructureType structure, StorageType storage, MaskType mask, GPRReg scratchGPR, JumpList& slowPath)
+    void emitAllocateJSObject(GPRReg resultGPR, const JITAllocator& allocator, GPRReg allocatorGPR, StructureType structure, StorageType storage, MaskType mask, GPRReg scratchGPR, JumpList& slowPath)
     {
         emitAllocateJSCell(resultGPR, allocator, allocatorGPR, structure, scratchGPR, slowPath);
@@ -1577 +1520 @@
         GPRReg scratchGPR2, JumpList& slowPath, size_t size)
     {
-        BlockDirectory* allocator = subspaceFor<ClassType>(vm)->allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
-        if (!allocator) {
-            slowPath.append(jump());
-            return;
-        }
-        move(TrustedImmPtr(allocator), scratchGPR1);
-        emitAllocateJSObject(resultGPR, allocator, scratchGPR1, structure, storage, mask, scratchGPR2, slowPath);
+        Allocator allocator = subspaceFor<ClassType>(vm)->allocatorForNonVirtual(size, AllocatorForMode::AllocatorIfExists);
+        emitAllocateJSObject(resultGPR, JITAllocator::constant(allocator), scratchGPR1, structure, storage, mask, scratchGPR2, slowPath);
     }
     
@@ -1594 +1532 @@
     // allocationSize can be aliased with any of the other input GPRs. If it's not aliased then it
     // won't be clobbered.
-    void emitAllocateVariableSized(GPRReg resultGPR, CompleteSubspace& subspace, GPRReg allocationSize, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath)
-    {
-        static_assert(!(MarkedSpace::sizeStep & (MarkedSpace::sizeStep - 1)), "MarkedSpace::sizeStep must be a power of two.");
-        
-        unsigned stepShift = getLSBSet(MarkedSpace::sizeStep);
-        
-        add32(TrustedImm32(MarkedSpace::sizeStep - 1), allocationSize, scratchGPR1);
-        urshift32(TrustedImm32(stepShift), scratchGPR1);
-        slowPath.append(branch32(Above, scratchGPR1, TrustedImm32(MarkedSpace::largeCutoff >> stepShift)));
-        move(TrustedImmPtr(subspace.allocatorForSizeStep() - 1), scratchGPR2);
-        loadPtr(BaseIndex(scratchGPR2, scratchGPR1, timesPtr()), scratchGPR1);
-        
-        emitAllocate(resultGPR, nullptr, scratchGPR1, scratchGPR2, slowPath);
-    }
+    void emitAllocateVariableSized(GPRReg resultGPR, CompleteSubspace& subspace, GPRReg allocationSize, GPRReg scratchGPR1, GPRReg scratchGPR2, JumpList& slowPath);
     
     template<typename ClassType, typename StructureType>

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2010 Patrick Gansterer <paroga@paroga.com>
  *
@@ -82 +82 @@
     Structure* structure = currentInstruction[3].u.objectAllocationProfile->structure();
     size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
-    BlockDirectory* allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+    Allocator allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
 
     RegisterID resultReg = regT0;
@@ -88 +88 @@
     RegisterID scratchReg = regT2;
 
-    move(TrustedImmPtr(allocator), allocatorReg);
-    if (allocator)
-        addSlowCase(Jump());
-    JumpList slowCases;
-    auto butterfly = TrustedImmPtr(nullptr);
-    auto mask = TrustedImm32(0);
-    emitAllocateJSObject(resultReg, allocator, allocatorReg, TrustedImmPtr(structure), butterfly, mask, scratchReg, slowCases);
-    emitInitializeInlineStorage(resultReg, structure->inlineCapacity());
-    addSlowCase(slowCases);
-    emitPutVirtualRegister(currentInstruction[1].u.operand);
+    if (!allocator)
+        addSlowCase(jump());
+    else {
+        JumpList slowCases;
+        auto butterfly = TrustedImmPtr(nullptr);
+        auto mask = TrustedImm32(0);
+        emitAllocateJSObject(resultReg, JITAllocator::constant(allocator), allocatorReg, TrustedImmPtr(structure), butterfly, mask, scratchReg, slowCases);
+        emitInitializeInlineStorage(resultReg, structure->inlineCapacity());
+        addSlowCase(slowCases);
+        emitPutVirtualRegister(currentInstruction[1].u.operand);
+    }
 }
 
@@ -767 +768 @@
     loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
     addSlowCase(branchTestPtr(Zero, rareDataReg));
-    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
+    load32(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
     loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
-    addSlowCase(branchTestPtr(Zero, allocatorReg));
+    addSlowCase(branch32(Equal, allocatorReg, TrustedImm32(Allocator().offset())));
 
     loadPtr(cachedFunction, cachedFunctionReg);
@@ -779 +780 @@
     auto butterfly = TrustedImmPtr(nullptr);
     auto mask = TrustedImm32(0);
-    emitAllocateJSObject(resultReg, nullptr, allocatorReg, structureReg, butterfly, mask, scratchReg, slowCases);
+    emitAllocateJSObject(resultReg, JITAllocator::variable(), allocatorReg, structureReg, butterfly, mask, scratchReg, slowCases);
     emitGetVirtualRegister(callee, scratchReg);
     loadPtr(Address(scratchReg, JSFunction::offsetOfRareData()), scratchReg);

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
  * Copyright (C) 2010 Patrick Gansterer <paroga@paroga.com>
  *
@@ -80 +80 @@
     Structure* structure = currentInstruction[3].u.objectAllocationProfile->structure();
     size_t allocationSize = JSFinalObject::allocationSize(structure->inlineCapacity());
-    BlockDirectory* allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
+    Allocator allocator = subspaceFor<JSFinalObject>(*m_vm)->allocatorForNonVirtual(allocationSize, AllocatorForMode::AllocatorIfExists);
 
     RegisterID resultReg = returnValueGPR;
@@ -86 +86 @@
     RegisterID scratchReg = regT3;
 
-    move(TrustedImmPtr(allocator), allocatorReg);
-    if (allocator)
-        addSlowCase(Jump());
-    JumpList slowCases;
-    auto butterfly = TrustedImmPtr(nullptr);
-    auto mask = TrustedImm32(0);
-    emitAllocateJSObject(resultReg, allocator, allocatorReg, TrustedImmPtr(structure), butterfly, mask, scratchReg, slowCases);
-    emitInitializeInlineStorage(resultReg, structure->inlineCapacity());
-    addSlowCase(slowCases);
-    emitStoreCell(currentInstruction[1].u.operand, resultReg);
+    if (!allocator)
+        addSlowCase(jump());
+    else {
+        JumpList slowCases;
+        auto butterfly = TrustedImmPtr(nullptr);
+        auto mask = TrustedImm32(0);
+        emitAllocateJSObject(resultReg, JITAllocator::constant(allocator), allocatorReg, TrustedImmPtr(structure), butterfly, mask, scratchReg, slowCases);
+        emitInitializeInlineStorage(resultReg, structure->inlineCapacity());
+        addSlowCase(slowCases);
+        emitStoreCell(currentInstruction[1].u.operand, resultReg);
+    }
 }
 
@@ -857 +858 @@
     loadPtr(Address(calleeReg, JSFunction::offsetOfRareData()), rareDataReg);
     addSlowCase(branchTestPtr(Zero, rareDataReg));
-    loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
+    load32(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfAllocator()), allocatorReg);
     loadPtr(Address(rareDataReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfStructure()), structureReg);
-    addSlowCase(branchTestPtr(Zero, allocatorReg));
+    addSlowCase(branch32(Equal, allocatorReg, TrustedImm32(Allocator().offset())));
 
     loadPtr(cachedFunction, cachedFunctionReg);
@@ -869 +870 @@
     auto butterfly = TrustedImmPtr(nullptr);
     auto mask = TrustedImm32(0);
-    emitAllocateJSObject(resultReg, nullptr, allocatorReg, structureReg, butterfly, mask, scratchReg, slowCases);
+    emitAllocateJSObject(resultReg, JITAllocator::variable(), allocatorReg, structureReg, butterfly, mask, scratchReg, slowCases);
     addSlowCase(slowCases);
     emitStoreCell(currentInstruction[1].u.operand, resultReg);

trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h

@@ -80 +80 @@
 {
     size_t size = totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
-    void* base = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(size, nullptr, AllocationFailureMode::Assert);
+    void* base = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(vm, size, nullptr, AllocationFailureMode::Assert);
     Butterfly* result = fromBase(base, preCapacity, propertyCapacity);
     return result;
@@ -88 +88 @@
 {
     size_t size = totalSize(preCapacity, propertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
-    void* base = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(size, nullptr, AllocationFailureMode::ReturnNull);
+    void* base = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(vm, size, nullptr, AllocationFailureMode::ReturnNull);
     if (!base)
         return nullptr;
@@ -166 +166 @@
     size_t oldSize = totalSize(0, propertyCapacity, hadIndexingHeader, oldIndexingPayloadSizeInBytes);
     size_t newSize = totalSize(0, propertyCapacity, true, newIndexingPayloadSizeInBytes);
-    void* newBase = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(newSize, nullptr, AllocationFailureMode::ReturnNull);
+    void* newBase = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(vm, newSize, nullptr, AllocationFailureMode::ReturnNull);
     if (!newBase)
         return nullptr;

trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -119 +119 @@
     putDirect(vm, vm.propertyNames->iteratorSymbol, globalObject()->arrayProtoValuesFunction(), static_cast<unsigned>(PropertyAttribute::DontEnum));
     
-    void* backingStore = vm.gigacageAuxiliarySpace(m_mappedArguments.kind).allocateNonVirtual(mappedArgumentsSize(), nullptr, AllocationFailureMode::Assert);
+    void* backingStore = vm.gigacageAuxiliarySpace(m_mappedArguments.kind).allocateNonVirtual(vm, mappedArgumentsSize(), nullptr, AllocationFailureMode::Assert);
     bool* overrides = static_cast<bool*>(backingStore);
     m_mappedArguments.set(vm, this, overrides);

trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -264 +264 @@
 
     if (argsLength) {
-        void* backingStore = vm.gigacageAuxiliarySpace(m_modifiedArgumentsDescriptor.kind).allocateNonVirtual(WTF::roundUpToMultipleOf<8>(argsLength), nullptr, AllocationFailureMode::Assert);
+        void* backingStore = vm.gigacageAuxiliarySpace(m_modifiedArgumentsDescriptor.kind).allocateNonVirtual(vm, WTF::roundUpToMultipleOf<8>(argsLength), nullptr, AllocationFailureMode::Assert);
         bool* modifiedArguments = static_cast<bool*>(backingStore);
         m_modifiedArgumentsDescriptor.set(vm, this, modifiedArguments);

trunk/Source/JavaScriptCore/runtime/HashMapImpl.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -208 +208 @@
         auto scope = DECLARE_THROW_SCOPE(vm);
         size_t allocationSize = HashMapBuffer::allocationSize(capacity);
-        void* data = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(allocationSize, nullptr, AllocationFailureMode::ReturnNull);
+        void* data = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(vm, allocationSize, nullptr, AllocationFailureMode::ReturnNull);
         if (!data) {
             throwOutOfMemoryError(exec, scope);

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
  *  Copyright (C) 2003 Peter Kelly (pmk@post.com)
  *  Copyright (C) 2006 Alexey Proskuryakov (ap@nypop.com)
@@ -82 +82 @@
 
         unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, initialLength);
-        void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)), deferralContext, AllocationFailureMode::ReturnNull);
+        void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(
+            vm,
+            Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)),
+            deferralContext, AllocationFailureMode::ReturnNull);
         if (UNLIKELY(!temp))
             return nullptr;
@@ -99 +102 @@
         static const unsigned indexBias = 0;
         unsigned vectorLength = ArrayStorage::optimalVectorLength(indexBias, structure, initialLength);
-        void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(Butterfly::totalSize(indexBias, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)), deferralContext, AllocationFailureMode::ReturnNull);
+        void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(
+            vm,
+            Butterfly::totalSize(indexBias, outOfLineStorage, true, ArrayStorage::sizeFor(vectorLength)),
+            deferralContext, AllocationFailureMode::ReturnNull);
         if (UNLIKELY(!temp))
             return nullptr;
@@ -369 +375 @@
     } else {
         size_t newSize = Butterfly::totalSize(0, propertyCapacity, true, ArrayStorage::sizeFor(desiredCapacity));
-        newAllocBase = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(newSize, nullptr, AllocationFailureMode::ReturnNull);
+        newAllocBase = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(
+            vm, newSize, nullptr, AllocationFailureMode::ReturnNull);
         if (!newAllocBase)
             return false;

trunk/Source/JavaScriptCore/runtime/JSArray.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -239 +239 @@
         unsigned vectorLength = Butterfly::optimalContiguousVectorLength(structure, vectorLengthHint);
         void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(
+            vm,
             Butterfly::totalSize(0, outOfLineStorage, true, vectorLength * sizeof(EncodedJSValue)),
             nullptr, AllocationFailureMode::ReturnNull);

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp

@@ -67 +67 @@
         size_t size = sizeOf(length, elementSize);
         if (size) {
-            temp = vm.primitiveGigacageAuxiliarySpace.allocateNonVirtual(size, nullptr, AllocationFailureMode::ReturnNull);
+            temp = vm.primitiveGigacageAuxiliarySpace.allocateNonVirtual(vm, size, nullptr, AllocationFailureMode::ReturnNull);
             if (!temp)
                 return;

trunk/Source/JavaScriptCore/runtime/JSCellInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -146 +146 @@
 ALWAYS_INLINE void* tryAllocateCellHelper(Heap& heap, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
 {
+    VM& vm = *heap.vm();
     ASSERT(deferralContext || !DisallowGC::isInEffectOnCurrentThread());
     ASSERT(size >= sizeof(T));
-    JSCell* result = static_cast<JSCell*>(subspaceFor<T>(*heap.vm())->allocateNonVirtual(size, deferralContext, failureMode));
+    JSCell* result = static_cast<JSCell*>(subspaceFor<T>(vm)->allocateNonVirtual(vm, size, deferralContext, failureMode));
     if (failureMode == AllocationFailureMode::ReturnNull && !result)
         return nullptr;
 #if ENABLE(GC_VALIDATION)
-    ASSERT(!heap.vm()->isInitializingObject());
-    heap.vm()->setInitializingObjectClass(T::info());
+    ASSERT(!vm.isInitializingObject());
+    vm.setInitializingObjectClass(T::info());
 #endif
     result->clearStructure();

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -336 +336 @@
 }
 
-JSGlobalObject::JSGlobalObject(VM& vm, Structure* structure, const GlobalObjectMethodTable* globalObjectMethodTable)
+JSGlobalObject::JSGlobalObject(VM& vm, Structure* structure, const GlobalObjectMethodTable* globalObjectMethodTable, RefPtr<ThreadLocalCache> threadLocalCache)
     : Base(vm, structure, 0)
     , m_vm(vm)
@@ -354 +354 @@
     , m_runtimeFlags()
     , m_globalObjectMethodTable(globalObjectMethodTable ? globalObjectMethodTable : &s_globalObjectMethodTable)
+    , m_threadLocalCache(threadLocalCache ? WTFMove(threadLocalCache) : vm.defaultThreadLocalCache)
 {
 }

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -492 +492 @@
 
 protected:
-    JS_EXPORT_PRIVATE explicit JSGlobalObject(VM&, Structure*, const GlobalObjectMethodTable* = 0);
+    JS_EXPORT_PRIVATE explicit JSGlobalObject(VM&, Structure*, const GlobalObjectMethodTable* = 0, RefPtr<ThreadLocalCache> = nullptr);
 
     JS_EXPORT_PRIVATE void finishCreation(VM&);
@@ -894 +894 @@
     void setWrapperMap(JSWrapperMap* map) { m_wrapperMap = map; }
 #endif
+    
+    ThreadLocalCache& threadLocalCache() const { return *m_threadLocalCache.get(); }
 
 protected:
@@ -925 +927 @@
     RetainPtr<JSWrapperMap> m_wrapperMap;
 #endif
+    
+    RefPtr<ThreadLocalCache> m_threadLocalCache;
 };
 

trunk/Source/JavaScriptCore/runtime/JSLock.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2005-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2005-2018 Apple Inc. All rights reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -29 +29 @@
 #include "MachineStackMarker.h"
 #include "SamplingProfiler.h"
+#include "ThreadLocalCacheInlines.h"
 #include "WasmMachineThreads.h"
 #include <thread>
@@ -148 +149 @@
     m_vm->setLastStackTop(thread.savedLastStackTop());
     ASSERT(thread.stack().contains(m_vm->lastStackTop()));
-
+    
+    m_vm->defaultThreadLocalCache->install(*m_vm);
+    
     m_vm->heap.machineThreads().addCurrentThread();
 #if ENABLE(WEBASSEMBLY)

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -237 +237 @@
     v(bool, useBumpAllocator, true, Normal, nullptr) \
     v(bool, stealEmptyBlocksFromOtherAllocators, true, Normal, nullptr) \
+    v(bool, tradeDestructorBlocks, true, Normal, nullptr) \
     v(bool, eagerlyUpdateTopCallFrame, false, Normal, nullptr) \
     \

trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h

@@ -1 +1 @@
 /*
- *  Copyright (C) 2008-2017 Apple Inc. All Rights Reserved.
+ *  Copyright (C) 2008-2018 Apple Inc. All Rights Reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -43 +43 @@
     JSGlobalObject* globalObject = structure->globalObject();
     bool createUninitialized = globalObject->isOriginalArrayStructure(structure);
-    void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)), deferralContext, AllocationFailureMode::ReturnNull);
+    void* temp = vm.jsValueGigacageAuxiliarySpace.allocateNonVirtual(vm, Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)), deferralContext, AllocationFailureMode::ReturnNull);
     if (UNLIKELY(!temp))
         return nullptr;

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -122 +122 @@
 #include "StructureInlines.h"
 #include "TestRunnerUtils.h"
+#include "ThreadLocalCacheInlines.h"
 #include "ThunkGenerators.h"
 #include "TypeProfiler.h"
@@ -307 +308 @@
     setLastStackTop(stack.origin());
 
+    defaultThreadLocalCache = ThreadLocalCache::create(heap);
+    defaultThreadLocalCache->install(*this);
+
     // Need to be careful to keep everything consistent here
     JSLockHolder lock(this);
@@ -495 +499 @@
     m_apiLock->willDestroyVM(this);
     heap.lastChanceToFinalize();
+    
+#if !ENABLE(FAST_TLS_JIT)
+    ThreadLocalCache::destructor(threadLocalCacheData);
+#endif
 
     delete interpreter;

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -55 +55 @@
 #include "VMEntryRecord.h"
 #include "VMTraps.h"
+#include "ThreadLocalCache.h"
 #include "WasmContext.h"
 #include "Watchpoint.h"
@@ -657 +658 @@
     JSObject* stringRecursionCheckFirstObject { nullptr };
     HashSet<JSObject*> stringRecursionCheckVisitedObjects;
+    
+#if !ENABLE(FAST_TLS_JIT)
+    ThreadLocalCache::Data* threadLocalCacheData { nullptr };
+#endif
+    RefPtr<ThreadLocalCache> defaultThreadLocalCache;
 
     LocalTimeOffsetCache localTimeOffsetCache;

trunk/Source/JavaScriptCore/runtime/VMEntryScope.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 #include "Options.h"
 #include "SamplingProfiler.h"
+#include "ThreadLocalCacheInlines.h"
 #include "VM.h"
 #include "Watchdog.h"
@@ -41 +42 @@
     , m_globalObject(globalObject)
 {
+    globalObject->threadLocalCache().install(vm);
     ASSERT(!DisallowVMReentry::isInEffectOnCurrentThread());
     ASSERT(Thread::current().stack().isGrowingDownward());

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2018-01-25  Filip Pizlo  <fpizlo@apple.com>
+
+        JSC GC should support TLCs (thread local caches)
+        https://bugs.webkit.org/show_bug.cgi?id=181559
+
+        Reviewed by Mark Lam and Saam Barati.
+
+        * wtf/Bitmap.h: Just fixing a compile error.
+
 2018-01-25  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WTF/wtf/Bitmap.h

@@ -22 +22 @@
 #include <array>
 #include <wtf/Atomics.h>
+#include <wtf/HashFunctions.h>
 #include <wtf/StdLibExtras.h>
 #include <stdint.h>